Proxying of Android App Successful except for select, common Google hosts #5266
Replies: 5 comments 2 replies
-
You can add it when you start!
|
Beta Was this translation helpful? Give feedback.
-
The --ssl-insecure option didn't fix it (I think because the issue here is that the client is not trusting the proxy certificate, as opposed to whether mitmproxy is validating the certificate from the upstream server.). Normally I would think cert pinning, but I can't imagine Google uses cert-pinning for these hosts (including pubads.g.doubleclick.net, for example) |
Beta Was this translation helpful? Give feedback.
-
The error message you posted makes it 100% clear that the client does not trust mitmproxy's CA cert for those connections (the client is sending an active alert indicating so). It's not unlikely that the app uses an SDK which does pinning. |
Beta Was this translation helpful? Give feedback.
-
You can try using Lsposed module sslunpinning. It does help unpinning in some cases. |
Beta Was this translation helpful? Give feedback.
-
I have an issue with 8.x as well, today my raspberry pi 4 decided somehow to upgrade itself to the latest 22.04LTS and jumped from python 3.9 to 3.10, so had to reinstall some things. Until yesterday I was running 7.0.4 with some addons I wrote and this worked fine for parsing data out of network traffic from an old Android phone (Android 8 with root + JustTrustme if I'm not mistaken) I couldn't get the 8.x version up and running with the existing config, I got handshake/cipher negotiation issues between mitmproxy and the client. I removed the certificate, so the latest version could generate a new CA, put iton the phone, but still no luck same issues remain. I tried several minimum/maximum client versions, and specifying ciphers but no luck either.
I believe the issue is in particular with SSL connections to websockets, haven't had the time to investigate more thoroughly because of other work. More than happy to try provide more information if we could find a solution for this, thank you |
Beta Was this translation helpful? Give feedback.
-
Proxying Android App Successfully except select, common hosts from Google
All HTTPS connections are successfully proxied by mitmproxy except for common hosts for Google, such as pubads.g.doubleclick. Seems highly unlikely these are pinned.
The specific error is:
warn: Client TLS handshake failed. The client does not trust the proxy's certificate for pubads.g.doubleclick.net (OpenSL Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate unknown')]))
Because the all of the other HTTPS connections from the app (and there are many) are proxied successfully, I do not believe there is any misconfiguration on the user side with installation of certificate, connecting to mitmproxy etc.
Steps to reproduce the behavior:
System Information
Mitmproxy: 8.0.0 binary
Python: 3.10.2
OpenSSL: OpenSSL 1.1.1n 15 Mar 2022
Platform: Linux-5.4.0-107-generic-x86_64-with-glibc2.31
Beta Was this translation helpful? Give feedback.
All reactions