Charles Proxy for Mobile apps that use SSL Pinning

Question

Charles Proxy website comments that:

Note that some apps implement SSL certificate pinning which means they specifically validate the root certificate. Because the app is itself verifying the root certificate it will not accept Charles's certificate and will fail the connection. If you have successfully installed the Charles root SSL certificate and can browse SSL websites using SSL Proxying in Safari, but an app fails, then SSL Pinning is probably the issue.

Just to be certain, is it possible to use an HTTP monitor like Charles Proxy (or another monitor) even though a mobile app uses SSL certificate pinning?

Answer 1

As Steffen said you might need to patch the app to disable certificate pinning. Most mobile apps don't use it though :) Thus you just need to enable SSL connections with self-signed certificate. To allow that with Android application do following. First Download apktool. Then unpack APK file (according to apktool 2.4.1):

java -jar apktool.jar d app.apk

Modify AndroidManifest.xml by adding this attribute to application element:

android:networkSecurityConfig="@xml/network_security_config"

Create file res/xml/network_security_config.xml with following content:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
   <base-config>
      <trust-anchors>
         <certificates src="system" />
         <certificates src="user" />
      </trust-anchors>
   </base-config>
</network-security-config>

Generate keys to sign APK:

keytool -genkey -alias keys -keystore keys -keyalg DSA

Build patched APK:

java -jar apktool.jar b app -o app_patched.apk --use-aapt2

Sign APK file:

jarsigner -verbose -keystore keys app_patched.apk keys

If necessary convert APK to JAR for further analysis: d2j-dex2jar.sh app.apk. More information: Network security configuration.