The OS has a 'system' certificate store, at /system/etc/security/cacerts/.There's at least 3 types of Android CA certificate store: How do Android HTTPS clients decide who they trust? Android Certificate StoresĮach HTTPS or TLS client on Android will check certificates against the CAs in some certificate store. Since nobody reading this has a globally trusted root CA to hand, in practice that means we need to create our own CA, and ensure the TLS client (in this case, Android's HTTPS clients) already trusts that CA, before we can get started. So, given the above, if we want to intercept HTTPS we need to be able to present a certificate issued by a trusted certificate authority. If you'd like to get into the nitty gritty of how the certificate validation really works, Scott Helme has written up a great guide. This is a bit simplified and I'm ignoring all sorts of edge cases, but it's enough for our purposes. In short: every TLS client has a list of root CAs that it trusts, and to successfully receive an HTTPS request, you must be able to present a certificate for the target hostname that includes a trusted root CA somewhere in its chain. it never sends any part of its HTTPS request. If it doesn't trust the certificate, it closes the connection before sending any content, i.e.
0 Comments
Leave a Reply. |