如何使用Charles Proxy 這套工具來監聽Android網路通訊(HTTPS) How to use Charles Proxy to sniffer HTTPS Connection over Android App.

1. 如何監聽Android網路路
通訊(HTTPS)
Sniffer https connection over Android
Hsieh, En-Ping
shieh.npin@gmail.com
Revised by Cindy
xuechenc13@gmail.com

2. Advantage of using https
• 更更安全，確保資料傳輸過程中不會被竊聽。
HTTPS is more secure way to teleport sensitive
information.
• Android (逐步)和 iOS(強制)都在推⾏行行全⾯面使⽤用HTTPS進⾏行行資
料傳輸。
Both Android and iOS are asking developer to transfer
data via HTTPS.
https://techcrunch.com/2016/06/14/apple-will-require-
https-connections-for-ios-apps-by-the-end-of-2016/

3. Disadvantage of using https
• 但也造成難以偵錯和除錯。
But it makes debug much harder and harder.
• 通常只能藉由3rd lib提供函式庫去監聽網路路變化，如
OkHttp interceptor 或 Stetho。
The alternative way is using interpolator suppled by 3rd
library, such as OkHttp interceptor or Stetho.
• 這意味著要程式碼必須修改。
But it also means the codebase must be modified.

4. ⿂魚與熊掌不可兼得？
Is it possible to have your cake and eat it too?

5. 中間⼈人攻擊
Man-in-the-middle(MITM) attack

6. Charles Proxy
https://www.charlesproxy.com/

7. Proxy
Charles Proxy
Android
HTTPS
HTTPS

8. Charles ProxyAndroid Server
向Server請求憑證
攔截請求，取代Android向
請求Server憑證
向Proxy發送(真)憑證
向Android發送(假)憑證
⽤用(假)憑證公鑰加密對稱鑰
信任
Charles簽
發的憑證
攔截後⽤用(假)憑證私鑰解
密，再以(真)憑證加密對
稱鑰送向Server
向Proxy發送(真)確認回應
向Android發送(假)確認回應
Android認為⾃自
⼰己與Server溝通
Server認為⾃自⼰己
與Android溝通

9. Charles ProxyAndroid Server
Request cert
from Server
Replace Android to
request Server cert
Send real cert to Proxy
Send fake cert to Android
Use public key from
fake cert to encrypt
Session key
Trust
Charles
Signed cert
Intercept and decrypt the
session key, and then
encrypt it with public key
extracted from real cert
and send it to Server
Send real confirmation
response to ProxySend fake confirmation
response to Android
Android believe it’s
communicating with
Server
Server believe it’s
communicating
with Android

10. 硬體
• ⼀一台無線路路由器(iPhone/Android/AP)
A wireless router.
• Android⼿手機
An Android phone.
• 電腦
A computer.

11. Let's get our hand dirty!

12. 電腦環境設置(Mac)
• 安裝Charles Proxy
Install Charles Proxy.

13. 憑證設置
• 將Charles的憑證安裝⾄至Mac
Then Install Cert for Charles Proxy.

14. 1.
2.
3.
4.
5.
• 讓電腦(Mac)信任該憑證
Make your computer trust the cert.

15. • 設定監聽所有的http連線
Config to record all http connection.
HTTP監聽設置

16. • 設定監聽所有的https連線
Config to record all https connection.
HTTPS監聽設置

17. • 設定Proxy監聽port(請使⽤用未被佔⽤用的port)
Setup the listening port for proxy(choose available port).
Proxy設置
請記住這組Port
Please note this port number.

18. • 確認(開啟) 監聽
Start recording.
Proxy設置
紅燈代表開啟
Red light means it is recording.

19. • ⽤用Charles 檢視主機IP位址·
Check your computer ip address by Charles.
確認IP位址
請記住這組IP
Please note this ip address.

20. ⼿手機Wifi設置
• ⽤用剛才記下的資訊設定WIFI
的proxy ip和port
Configure WIFI and its proxy
settings that you previously
noted.
• 連上Wifi並讓⼿手機和電腦處在
同個網域
Connect to wireless router
and make sure that both
your device and computer
are belong to the same
subnet.

21. Check point
• 這時候你應該會看到⼀一個連線提⽰示。
You should see the following alert when your device
connects to WIFI.

22. Trouble shooting
• Q： 沒有跳出連線提⽰示？
Q： I didn’t get any alert coming when device was
connected.
• A：試著觸發⼀一下網路路連線，然後觀察Charles 視窗左下⾓角有沒
有類似的訊息，可以直接在Charles>Proxy>Access Control
Setting中⼿手動加入。
A：Try to invoke network behavior and check if any similar
message on Charles GUI as in above figure. If so, there is
you can add this ip from Charles>Proxy>Access Control
Settings manually.

23. Trouble shooting
• Q： 還是沒有跳出連線提⽰示？
Q： Still, I didn’t get any alert coming when device is
connected.
• A：由於受到暫存的影響，請嘗試重開Charles, 重連
Android WIFI與徹底重開作為觸發的APP以便便讓改變發⽣生作
⽤用。
A：Due to the influence of cache, please try to restart
Charles, reconnect mobile device to WIFI and restart
trigger app entirely.

24. Trouble shooting
• Q： 我還是沒有看⾒見見任何連線提⽰示⽽而且毫無反應？
Q： Unfortunately, I didn’t see an alert or indication of any
kind on Charles GUI.
• A：如果你是使⽤用wireless router，請確認你的router允許同
網域的機器互相連溝通，若若你⽤用⼿手機分享網路路，請關閉後
重開。
A：Verify that your router allows devices on the same
subnet to connect to each other. If you’re using mobile
phone as hotspot, please restart hotspot function and
retry.

25. Trouble shooting
• Q： 沒招了了><
Q： I gave up.
• A：別忘記先關掉你的⾏行行動數據喔！
A：Don’t forget to turn off your cellular data in first place.

26. ⼿手機憑證設置(Nexus)
• ⽤用瀏覽器開啟http://
chls.pro/ssl並下載Charles
憑證
Browse http://chls.pro/ssl
and download cert.
• 請安裝下載好的憑證，請選
擇「VPN和應⽤用程式」
Please install the cert you
just download, and select
“VPN and application”
option when installing.
別忘記重開Wifi
Don’t forget to reconnect your wifi

27. All set!

28. 現在你可以⽤用Charles監聽
Now you can sniffer all connection through Charles.

29. Trouble shooting
• Q：我看不到任何傳輸紀錄！
Q：I can’t get any record on Charles!
• A：⾏行行動數據關了了嗎？攔截規則設定了了嗎？
A：Did you turn off your cellular data and setup recording
rule?

30. Trouble shooting
• Q：⾃自從我⽤用了了Charles Proxy之後Logcat⼀一直出現這個錯
誤！
Q：I always get this exception from Android Logcat when
I turn on the Charles proxy!
• A：恭喜你！你的APP有查核憑證鍊鍊！解法下⾴頁。
A：Congrats! Your app is also verified the entire cert path.
Solution is on next page.
java.security.cert.CertPathValidatorException: Trust
anchor for certification path not found.

31. Trouble shooting(Cont.)
• 由於7.0的預設機制是不信任由使⽤用者加入的憑證，以確保
不會被⼈人偷植入惡惡意憑證來來竊取資料，但可以透過下列列⽅方
式讓Debug Mode時可以信任Charles 憑證。
By default Android Nougat (7.0) won’t trust the cert added
by user in order to protect user privacy from malicious
cert. But you can only allow this under debug mode by
following tutorial.
• https://android.jlelse.eu/android-nougat-charlesing-ssl-
network-efa0951e66de

32. Trouble shooting
• Q：我可以⽤用模擬器？
Q：Can I use emulator?
• A：可以，你可以透過下列列指令去設定讓模擬器走Proxy
A：You can use following command to start emulator with
assigned proxy.
#emulator -avd avdName -http-proxy 168.192.11.7:8888
請注意這會將所有的連線都導向Charles，請記得為所有的TLS通訊協定(如MQTT)都設
定信任Charlse憑證，或是在Charles中排除部分SSL。
Warning! This command will redirect all connection from emulator to Charles, so
please make sure all protocols over TLS trust Charles cert or exclude these SSL
connection in Charles SSL Proxy setting.

33. Prevent MITM attack
• 如果你希望防⽌止別⼈人透過Man-in-the-middle 去監聽你的資
料可以考慮Cert Pinning，概念念就是只信任打包在APK裡的
憑證，缺點是當憑證更更換時你的APP也必須強制更更新。
Ｍan-in-the-middle attacks can be prevented by Cert
Pinning. The core concept is ONLY to trust pre-installed
cert which has already packed into your apk before the
app release. In contrast, users are forced to upgrade
applications every time you change cert on the server.
Tutorial:
http://blog.jln.co/android-
%E4%BD%BF%E7%94%A8retrofit%E5%A6%82%E4%BD%95%E9%81%BF%E5%85%8Dman-in-the-
middle%E6%94%BB%E6%93%8A/

34. 最後別忘記⽤用完關Proxy
Don’t forget to turn off
proxy after you finish it.

35. Q&A