How to proxy requests to api.twitter.com including SSL certificates?

Question

I'm using Twitter's new Fabric SDK for Android. I've set up Charles as a proxy on my Mac so I can analyse the JSON payload in the API responses.

SSL proxying in Charles is enabled and access granted for my test device.

However, Charles shows me the following error for any request to Twitter:

URL https://api.twitter.com

Status Failed

Failure SSLHandshake: Received fatal alert: certificate_unknown

Logcat shows me:

retrofit.RetrofitError: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.   

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:306)
    at com.squareup.okhttp.Connection.upgradeToTls(Connection.java:241)
    at com.squareup.okhttp.Connection.connect(Connection.java:158)
    at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:174)
    at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:120)

Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318)
    at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:209)
    at io.fabric.sdk.android.services.network.PinningTrustManager.checkSystemTrust(PinningTrustManager.java:117)
    at io.fabric.sdk.android.services.network.PinningTrustManager.checkServerTrusted(PinningTrustManager.java:160)

It looks to me like I need to trust some certificates... Any ideas?

Answer 1

The Fabric SDK uses SSL Certificate Pinning to ensure that they are talking directly to the Twitter servers. Unfortunately, this means that you won't be able to view the traffic going between Fabric and the Twitter backend.

Generally, standard SSL merely requires that a given certificate is "trusted." That's why you are able to trust the Charles certificate in your emulator or on your test device and then the networking stack won't complain. However, when a library is using SSL certificate pinning it won't trust just any trusted certificate but only a certain set of certificates. So even though your emulator is seeing a trusted Charles certificate, the Twitter library will fail unless is sees the actual Twitter API certificate. See more https://www.infinum.co/the-capsized-eight/articles/securing-mobile-banking-on-android-with-ssl-certificate-pinning

If you need to see the traffic, you will need to use a Twitter library that doesn't use SSL Certificate Pinning.