2. Advantage of using https
• 更更安全,確保資料傳輸過程中不會被竊聽。
HTTPS is more secure way to teleport sensitive
information.
• Android (逐步)和 iOS(強制)都在推⾏行行全⾯面使⽤用HTTPS進⾏行行資
料傳輸。
Both Android and iOS are asking developer to transfer
data via HTTPS.
https://techcrunch.com/2016/06/14/apple-will-require-
https-connections-for-ios-apps-by-the-end-of-2016/
3. Disadvantage of using https
• 但也造成難以偵錯和除錯。
But it makes debug much harder and harder.
• 通常只能藉由3rd lib提供函式庫去監聽網路路變化,如
OkHttp interceptor 或 Stetho。
The alternative way is using interpolator suppled by 3rd
library, such as OkHttp interceptor or Stetho.
• 這意味著要程式碼必須修改。
But it also means the codebase must be modified.
9. Charles ProxyAndroid Server
Request cert
from Server
Replace Android to
request Server cert
Send real cert to Proxy
Send fake cert to Android
Use public key from
fake cert to encrypt
Session key
Trust
Charles
Signed cert
Intercept and decrypt the
session key, and then
encrypt it with public key
extracted from real cert
and send it to Server
Send real confirmation
response to ProxySend fake confirmation
response to Android
Android believe it’s
communicating with
Server
Server believe it’s
communicating
with Android
18. • 確認(開啟) 監聽
Start recording.
Proxy設置
紅燈代表開啟
Red light means it is recording.
19. • ⽤用Charles 檢視主機IP位址·
Check your computer ip address by Charles.
確認IP位址
請記住這組IP
Please note this ip address.
20. ⼿手機Wifi設置
• ⽤用剛才記下的資訊設定WIFI
的proxy ip和port
Configure WIFI and its proxy
settings that you previously
noted.
• 連上Wifi並讓⼿手機和電腦處在
同個網域
Connect to wireless router
and make sure that both
your device and computer
are belong to the same
subnet.
22. Trouble shooting
• Q: 沒有跳出連線提⽰示?
Q: I didn’t get any alert coming when device was
connected.
• A:試著觸發⼀一下網路路連線,然後觀察Charles 視窗左下⾓角有沒
有類似的訊息,可以直接在Charles>Proxy>Access Control
Setting中⼿手動加入。
A:Try to invoke network behavior and check if any similar
message on Charles GUI as in above figure. If so, there is
you can add this ip from Charles>Proxy>Access Control
Settings manually.
23. Trouble shooting
• Q: 還是沒有跳出連線提⽰示?
Q: Still, I didn’t get any alert coming when device is
connected.
• A:由於受到暫存的影響,請嘗試重開Charles, 重連
Android WIFI與徹底重開作為觸發的APP以便便讓改變發⽣生作
⽤用。
A:Due to the influence of cache, please try to restart
Charles, reconnect mobile device to WIFI and restart
trigger app entirely.
24. Trouble shooting
• Q: 我還是沒有看⾒見見任何連線提⽰示⽽而且毫無反應?
Q: Unfortunately, I didn’t see an alert or indication of any
kind on Charles GUI.
• A:如果你是使⽤用wireless router,請確認你的router允許同
網域的機器互相連溝通,若若你⽤用⼿手機分享網路路,請關閉後
重開。
A:Verify that your router allows devices on the same
subnet to connect to each other. If you’re using mobile
phone as hotspot, please restart hotspot function and
retry.
25. Trouble shooting
• Q: 沒招了了><
Q: I gave up.
• A:別忘記先關掉你的⾏行行動數據喔!
A:Don’t forget to turn off your cellular data in first place.
29. Trouble shooting
• Q:我看不到任何傳輸紀錄!
Q:I can’t get any record on Charles!
• A:⾏行行動數據關了了嗎?攔截規則設定了了嗎?
A:Did you turn off your cellular data and setup recording
rule?
30. Trouble shooting
• Q:⾃自從我⽤用了了Charles Proxy之後Logcat⼀一直出現這個錯
誤!
Q:I always get this exception from Android Logcat when
I turn on the Charles proxy!
• A:恭喜你!你的APP有查核憑證鍊鍊!解法下⾴頁。
A:Congrats! Your app is also verified the entire cert path.
Solution is on next page.
java.security.cert.CertPathValidatorException: Trust
anchor for certification path not found.
31. Trouble shooting(Cont.)
• 由於7.0的預設機制是不信任由使⽤用者加入的憑證,以確保
不會被⼈人偷植入惡惡意憑證來來竊取資料,但可以透過下列列⽅方
式讓Debug Mode時可以信任Charles 憑證。
By default Android Nougat (7.0) won’t trust the cert added
by user in order to protect user privacy from malicious
cert. But you can only allow this under debug mode by
following tutorial.
• https://android.jlelse.eu/android-nougat-charlesing-ssl-
network-efa0951e66de
32. Trouble shooting
• Q:我可以⽤用模擬器?
Q:Can I use emulator?
• A:可以,你可以透過下列列指令去設定讓模擬器走Proxy
A:You can use following command to start emulator with
assigned proxy.
#emulator -avd avdName -http-proxy 168.192.11.7:8888
請注意這會將所有的連線都導向Charles,請記得為所有的TLS通訊協定(如MQTT)都設
定信任Charlse憑證,或是在Charles中排除部分SSL。
Warning! This command will redirect all connection from emulator to Charles, so
please make sure all protocols over TLS trust Charles cert or exclude these SSL
connection in Charles SSL Proxy setting.
33. Prevent MITM attack
• 如果你希望防⽌止別⼈人透過Man-in-the-middle 去監聽你的資
料可以考慮Cert Pinning,概念念就是只信任打包在APK裡的
憑證,缺點是當憑證更更換時你的APP也必須強制更更新。
Man-in-the-middle attacks can be prevented by Cert
Pinning. The core concept is ONLY to trust pre-installed
cert which has already packed into your apk before the
app release. In contrast, users are forced to upgrade
applications every time you change cert on the server.
Tutorial:
http://blog.jln.co/android-
%E4%BD%BF%E7%94%A8retrofit%E5%A6%82%E4%BD%95%E9%81%BF%E5%85%8Dman-in-the-
middle%E6%94%BB%E6%93%8A/