分享程序员开发的那些事...
更新时间:2023-11-24 17:00:46
在使用 Android KitKat 之前,您必须对设备进行 root 以安装新证书.
Prior to Android KitKat you have to root your device to install new certificates.
从 Android KitKat (4.0) 到 Nougat (7.0),一切皆有可能且简单.我能够在我的无根设备上安装 Charles Web Debbuging Proxy 证书并成功嗅探 SSL 流量.
From Android KitKat (4.0) up to Nougat (7.0) it's possible and easy. I was able to install the Charles Web Debbuging Proxy cert on my un-rooted device and successfully sniff SSL traffic.
从 http://wiki.cacert.org/FAQ/ImportRootCert 中提取
Android 4.0 之前,Android 版本 Gingerbread &Froyo,有一个只读文件 (/system/etc/security/cacerts.bks ) 包含信任库,其中包含 Android 上默认信任的所有 CA(系统")证书.系统应用程序和所有使用 Android SDK 开发的应用程序都使用它.使用这些关于在 Android Gingerbread、Froyo 上安装 CAcert 证书的说明......
Before Android version 4.0, with Android version Gingerbread & Froyo, there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA ('system') certificates trusted by default on Android. Both system apps and all applications developed with the Android SDK use this. Use these instructions on installing CAcert certificates on Android Gingerbread, Froyo, ...
从 Android 4.0(Android ICS/'Ice Cream Sandwich'、Android 4.3 'Jelly Bean' & Android 4.4 'KitKat')开始,系统可信证书位于(只读)系统分区中的文件夹 '/system/etc/security/' 作为单独的文件.但是,用户现在可以轻松添加自己的用户"证书,这些证书将存储在/data/misc/keychain/certs- added"中.
Starting from Android 4.0 (Android ICS/'Ice Cream Sandwich', Android 4.3 'Jelly Bean' & Android 4.4 'KitKat'), system trusted certificates are on the (read-only) system partition in the folder '/system/etc/security/' as individual files. However, users can now easily add their own 'user' certificates which will be stored in '/data/misc/keychain/certs-added'.
系统安装的证书可以在 Android 设备上的设置 -> 安全 -> 证书 -> '系统'-部分进行管理,而用户信任的证书则在那里的用户"部分进行管理.当使用用户信任的证书时,Android 将强制 Android 设备的用户实施额外的安全措施:当使用用户提供的证书时,必须使用 PIN 码、图案锁或密码来解锁设备.
System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> 'System'-section, whereas the user trusted certificates are manged in the 'User'-section there. When using user trusted certificates, Android will force the user of the Android device to implement additional safety measures: the use of a PIN-code, a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used.
将 CAcert 证书安装为用户信任"证书非常简单.将新证书安装为系统受信任"证书需要更多工作(并且需要 root 访问权限),但它的优点是避免了 Android 锁屏要求.
Installing CAcert certificates as 'user trusted'-certificates is very easy. Installing new certificates as 'system trusted'-certificates requires more work (and requires root access), but it has the advantage of avoiding the Android lockscreen requirement.
从 Android N 开始它变得更难了,请参阅 查尔斯代理网站:
From Android N onwards it gets a littler harder, see this extract from the Charles proxy website:
从 Android N 开始,您需要向您的应用添加配置才能让它信任由 Charles SSL Proxying 生成的 SSL 证书.这意味着您只能将 SSL 代理与您自己的应用程序一起使用控制.
As of Android N, you need to add configuration to your app in order to have it trust the SSL certificates generated by Charles SSL Proxying. This means that you can only use SSL Proxying with apps that you control.
为了将您的应用配置为信任 Charles,您需要添加一个网络安全配置文件到您的应用程序.这个文件可以覆盖系统默认值,使您的应用能够信任已安装的用户CA 证书(例如 Charles Root 证书).您可以指定这仅适用于您的应用程序的调试版本,以便生产版本使用默认信任配置文件.
In order to configure your app to trust Charles, you need to add a Network Security Configuration File to your app. This file can override the system default, enabling your app to trust user installed CA certificates (e.g. the Charles Root Certificate). You can specify that this only applies in debug builds of your application, so that production builds use the default trust profile.
将文件 res/xml/network_security_config.xml 添加到您的应用:
Add a file res/xml/network_security_config.xml to your app:
<network-security-config>
<debug-overrides>
<trust-anchors>
<!-- Trust user added CAs while debuggable only -->
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
然后在您的应用清单中添加对此文件的引用,如下所示:
Then add a reference to this file in your app's manifest, as follows:
<?xml version="1.0" encoding="utf-8"?>
<manifest>
<application android:networkSecurityConfig="@xml/network_security_config">
</application>
</manifest>