Intercepting SSL traffic on Android app

Question

I am trying to intercept SSL traffic from my Android app to test the security. I am using certificate pinning in the hopes I can prevent people from snooping. I have tested by configuring ProxyDroid to route traffic through my proxy, for which I have used both Fiddler and Charles. However, I get different results with the two proxy server softwares.

With Fiddler I was not able to intercept traffic and my app fails to connect to the server. I even manually imported the Fiddler root certificate into /system/etc/security/cacerts and verified that it shows up in the system truststore, but still my app behaves as it should.

With Charles, however, I didn't even need to import the root certificate to my Android phone. Out of the box, I was able to intercept all SSL traffic between my app and my server.

So my question is, how is it possible for Charles to accomplish this even though Fiddler is not able to?

Are you really sure that you are using SSL with certificate pinning and Charles has no idea of your private key? In this case it should be impossible for Charles to do a man-in-the-middle attack (intercept and decrypt traffic). You might better check with tcpdump/wireshark what's really going on. — Steffen Ullrich, Nov 02 '14 at 07:18
Show some code and stack traces (for Fiddler). Also, you don't really need to put the root certificate in `/etc/security/cacerts`, you can (and should) import via Settings on Android 4.0+ — Nikolay Elenkov, Nov 07 '14 at 05:06

rook · Answer 1 · 2014-11-03T18:33:52.993

5

If Charles proxy is able to intercept SSL/TLS traffic, then certificate validation has failed. This demonstrates that the mobile device is not properly verifying the server's certificate.

In a mobile security assessment, certificate pinning can be disabled by hooking the platform's SSL/TLS implementation and changing how certificate validation works. An example of this attack is the Android SSL bypass or iOS SSL killswitch.

edited Nov 03 '14 at 18:33

answered Nov 02 '14 at 16:19

rook

46,916
10
92
181

1

A [newer fork of iOS SSL killswitch](https://github.com/nabla-c0d3/ssl-kill-switch2) is available, updated to work up to iOS 12 (and with pull requests to iOS 13). – Borislav Ivanov Nov 25 '19 at 13:00
@Borislav Ivanov thanks for the update. – rook Dec 02 '19 at 02:05

Snehal Raut · Answer 2 · 2016-01-13T07:40:25.617

1

Most of the time it is possible to intercept Application traffic even if you have implemented certificate pinning for Application but request should be encrypted when you have intercepted using Charles proxy. But it is possible to intercept traffic using SSLBypass, SSL Trust Killer, iOS SSL Kill Switch using proxy such as Burp.

edited Jan 13 '16 at 07:40

answered Jan 13 '16 at 07:32

Snehal Raut

11
3

score 1 · Answer 3 · edited Jun 17 '20 at 07:34

1

There should be some flaw in the certificate pinning code that you have written for your app.

If certificate pinning was done correctly , then no proxy can intercept the traffic, assuming that you are not tampering with the application.

I would suggest you to check some great examples on how to implement certificate pinning here.

edited Jun 17 '20 at 07:34

fdermishin

103
3

answered Nov 05 '14 at 10:22

Anto Joseph

21
2

Intercepting SSL traffic on Android app

3 Answers3

Linked