Proxying of Android App Successful except for select, common Google hosts

[StevenRoosa]

Proxying Android App Successfully except select, common hosts from Google

All HTTPS connections are successfully proxied by mitmproxy except for common hosts for Google, such as pubads.g.doubleclick. Seems highly unlikely these are pinned.

The specific error is:

warn: Client TLS handshake failed. The client does not trust the proxy's certificate for pubads.g.doubleclick.net (OpenSL Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate unknown')]))

Because the all of the other HTTPS connections from the app (and there are many) are proxied successfully, I do not believe there is any misconfiguration on the user side with installation of certificate, connecting to mitmproxy etc.

Steps to reproduce the behavior:

1. I can't provide the apps that I was testing (is client confidential), but if that becomes imperative, I can try and find another app for that purpose to reproduce (but maybe it will be clear from the above the nature of the issue).
2. Note: on configuration -- I have installed the mitmproxy cert directly in the system trust store on Android using a Magisk module for that purpose. Android phone is rooted with Magisk. Target phone is a pixel 5 running Android 11. Exact Same issue repeated with same app on a Blu G9 running Android 8.
3. Also, had same issue on both Mitmproxy 7 and clean install of Mitmproxy 8.

System Information

Mitmproxy: 8.0.0 binary
Python: 3.10.2
OpenSSL: OpenSSL 1.1.1n 15 Mar 2022
Platform: Linux-5.4.0-107-generic-x86_64-with-glibc2.31

[Pactortester]

You can add it when you start！

--ssl-insecure

[StevenRoosa]

The --ssl-insecure option didn't fix it (I think because the issue here is that the client is not trusting the proxy certificate, as opposed to whether mitmproxy is validating the certificate from the upstream server.). Normally I would think cert pinning, but I can't imagine Google uses cert-pinning for these hosts (including pubads.g.doubleclick.net, for example)

[mhils]

The error message you posted makes it 100% clear that the client does not trust mitmproxy's CA cert for those connections (the client is sending an active alert indicating so). It's not unlikely that the app uses an SDK which does pinning.

[kevin0t]

You can try using Lsposed module sslunpinning. It does help unpinning in some cases.

[SekiBetu]

yeah, it works, and this one also works
https://github.com/kasnder/JustTrustMe/releases

as for the root CA certs installation on android 7 to android 12 or above, you need to unlock the bootloader and install magisk,
and then install this magisk module to copy your user certs to root certs path during the phone reboot process
https://github.com/NVISOsecurity/MagiskTrustUserCerts

[tracer9k]

I have an issue with 8.x as well, today my raspberry pi 4 decided somehow to upgrade itself to the latest 22.04LTS and jumped from python 3.9 to 3.10, so had to reinstall some things. Until yesterday I was running 7.0.4 with some addons I wrote and this worked fine for parsing data out of network traffic from an old Android phone (Android 8 with root + JustTrustme if I'm not mistaken)

I couldn't get the 8.x version up and running with the existing config, I got handshake/cipher negotiation issues between mitmproxy and the client. I removed the certificate, so the latest version could generate a new CA, put iton the phone, but still no luck same issues remain. I tried several minimum/maximum client versions, and specifying ciphers but no luck either.
I reinstalled 7.0.4 and now it's working again - with previously configured values:

ssl_insecure: true
tls_version_client_min: SSL3 
tls_version_client_max: TLS1_3

I believe the issue is in particular with SSL connections to websockets, haven't had the time to investigate more thoroughly because of other work.

More than happy to try provide more information if we could find a solution for this,

thank you

[tracer9k]

Haven't tried it yet, but I think the fix for 5546 might have resolved this for me as well
#5546
6ff5d0c