我在 Fiddler4 选项中启用了 HTTPS,它确实可以从我机器上的大多数 Android 应用程序捕获 HTTPS 通信(使用 Android 模拟器,通过 WIFI 代理设置)。
但对于某些应用程序,它总是失败。例如Kayak . 它总是显示 “糟糕!连接到 Internet 时出现问题。请稍后重试。”。
我注意到 Kayak App 使用 TLS 1.0(见下面的截图,它来自 Microsoft Network Monitor 3.4),我想这可能与它有关。
我也尝试将协议(protocol)设置为“tls1.0”(见下面的截图),但没有效果。
欣赏你的想法。
最佳答案
更新 进一步调查显示,如果证书的 SubjectCN 字段被编码为 BMPString,一些 Android 应用程序将不接受通配符。 makecert 生成器使用 BMPString,因此您可以取消选中 Use wildcards 框或切换到里面的 CertEnroll 生成器工具 > Fiddler 选项 > HTTPS > 证书生成者。
以下文本仍然适用于实现固定的应用。
TLS1.0 可能是 Fiddler 中支持最好的 HTTPS 协议(protocol)。您没有显示失败时 Fiddler 的 Web Sessions 列表或 Log 选项卡中的内容,但我的猜测是 Web Sessions 列表可能只显示 CONNECT 和 Log 选项卡有类似的内容:
!SecureClientPipeDirect 失败:System.IO.IOException 身份验证
失败,因为远程方已关闭传输流。为了
管道(CN=*.kayak.com,O=DO_NOT_TRUST,OU=创建者
http://www.fiddler2.com)
这样对吗?如果是这样,最可能的解释是相关的 Android 应用程序启用了 certificate pinning .
来自Fiddler book :
Certificate Pinning
A very small number of HTTPS client applications support a feature known as “Certificate Pinning” whereby the client application is hardcoded to accept only one specific certificate. Even if the connection uses a certificate that chains to a root that is otherwise fully-trusted by the operating system, such applications will refuse to accept an unexpected certificate.
To date, some Twitter and Dropbox apps include this feature, and Windows 8 Metro apps may opt-in to requiring specific certificates rather than relying upon the system’s Trusted Root store. Firefox’s automatic browser update feature will silently fail when Fiddler is decrypting its traffic. The Microsoft Security toolkit named EMET can enable pinning in any application for certain “high-value” sites (including Windows Live). The Chrome browser supports pinning, but it exempts locally-trusted roots like Fiddler’s.
When a Certificate-Pinned application performs a HTTPS handshake through a CONNECT tunnel to Fiddler, it will examine the response’s certificate and refuse to send any further requests when it discovers the Fiddler-generated certificate. Unfortunately, there is no general-purpose workaround to resolve this; the best you can do is to exempt that application’s traffic from decryption using the HTTPS tab or by setting the x-no-decrypt Session flag on the CONNECT tunnel. The flag will prevent Fiddler from decrypting the traffic in the tunnel and it will flow through Fiddler uninterrupted.
A very small number of HTTPS client applications support a feature known as “Certificate Pinning” whereby the client application is hardcoded to accept only one specific certificate. Even if the connection uses a certificate that chains to a root that is otherwise fully-trusted by the operating system, such applications will refuse to accept an unexpected certificate. To date, some Twitter and Dropbox apps include this feature, and Windows 8 Metro apps may opt-in to requiring specific certificates rather than relying upon the system’s Trusted Root store. Firefox’s automatic browser update feature will silently fail when Fiddler is decrypting its traffic. The Microsoft Security toolkit named EMET can enable pinning in any application for certain “high-value” sites (including Windows Live). The Chrome browser supports pinning, but it exempts locally-trusted roots like Fiddler’s. When a Certificate-Pinned application performs a HTTPS handshake through a CONNECT tunnel to Fiddler, it will examine the response’s certificate and refuse to send any further requests when it discovers the Fiddler-generated certificate.
Unfortunately, there is no general-purpose workaround to resolve this; the best you can do is to exempt that application’s traffic from decryption using the HTTPS tab or by setting the
x-no-decryptSession flag on theCONNECTtunnel. The flag will prevent Fiddler from decrypting the traffic in the tunnel and it will flow through Fiddler uninterrupted.
如果您非常认真地想绕过固定,您可以越狱设备并使用许多第 3 方工具包中的任何一个来禁用固定代码。
关于android - 如何使用 Fiddler4 从 Android App 捕获 HTTPS(TLS 1.0) 通信?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33382870/