-
Problem DescriptionI am using the magisk module generated by mitmproxy to install SSL certificate into the Android system certificate store and capture SSL traffic. It works until I recently upgrades my phone's Android OS then it stopped working. The mitmproxy certificate can be seen installed into the phone and in the system certificate list, but apps are no longer trusting the certificate. The logs given by Chrome browser: The logs in mitmproxy: The upgraded Android OS is MIUI14, Android13 with Android security update 2023-10-01. The same magisk module and certificate is working on my other phone with Android 10. Steps to reproduce the behavior:
System InformationPaste the output of "mitmproxy --version" here. |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 5 replies
-
|
Are there any news for Android 13 and this issue? Any workaround we can do to make it work? Except cannot be used on Chrome, any app also cannot access Internet:
On mint console I get:
|
Beta Was this translation helpful? Give feedback.
-
|
Still unsolved now, Android 14 requires you to throw the certificate into |
Beta Was this translation helpful? Give feedback.
-
|
on further investgation, the process which the browser(mark.via in this case) is in cannot see the ca cert, but the zygote process, zygote64 process and adb process can see the ca cert. this is strange considering all Android process is a fork of zygote. rubens:/ # ps -ef | grep -v grep | grep 10378
u0_a414 10378 856 6 21:40:54 ? 00:00:13 mark.via
rubens:/ # nsenter --mount=/proc/10378/ns/mnt -- ls -lat /system/etc/security/cacerts | grep 2024
1|rubens:/ # nsenter --mount=/proc/self/ns/mnt -- ls -lat /system/etc/security/cacerts | grep 2024
drwxr-xr-x 2 root root 2580 2024-03-05 21:39 .
-rw-r--r-- 1 root root 935 2024-03-05 21:39 e5c3944b.0
rubens:/ # nsenter --mount=/proc/$(pidof zygote)/ns/mnt -- ls -lat /system/etc/security/cacerts | grep 2024
drwxr-xr-x 2 root root 2580 2024-03-05 21:39 .
-rw-r--r-- 1 root root 935 2024-03-05 21:39 e5c3944b.0
rubens:/ # nsenter --mount=/proc/$(pidof zygote64)/ns/mnt -- ls -lat /system/etc/security/cacerts | grep 2024
drwxr-xr-x 2 root root 2580 2024-03-05 21:39 .
-rw-r--r-- 1 root root 935 2024-03-05 21:39 e5c3944b.0 |
Beta Was this translation helpful? Give feedback.
-
|
Try removing your target app in Magisk Exclusion List and disable all magisk hiding modules(eg. Shamiko, Magisk Delta, Magisk Hide in old versions of Magisk) first. If you still cannot use the CA cert or unwilling to disable magisk hiding module because your target app is detecting magisk, see below. Some magisk hiding modules actively unmount bind mounts created by Magisk to hide the trace of Magisk. Somehow recent versions of Shamiko will unmount changes in You can make Shamiko and CA cert co-exist by manually bind mounting the cert yourself within the mount namespace of the apps. I wrote a script that does bind mount on #!/system/bin/sh
# Workaround for Android 13 ca cert not working
# copy and bind mounts /system/etc/security/cacerts for zygote, zygote64 and every Android app
# I don't know why this is needed, but this works
# You only need this on some version of Android 13 that simply putting certificate into /system/etc/security/cacerts does not work
# For Android 14, see https://github.com/nccgroup/ConscryptTrustUserCert
# Don't use this script with ConscryptTrustUserCert magisk module at the same time, because both of them used `/data/local/tmp/tmp-ca-copy` path.
# note: you need to put your ca cert into `/system/etc/security/cacerts`(via magisk) before running this. also run as root
if [ $(id -u) -ne 0 ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
set -e
set -x
rm -rf /data/local/tmp/tmp-ca-copy || true;
mkdir -p -m 700 /data/local/tmp/tmp-ca-copy;
cp /system/etc/security/cacerts/* /data/local/tmp/tmp-ca-copy/;
ZYGOTE_PID=$(pidof zygote || true);ZYGOTE64_PID=$(pidof zygote64 || true);
APP_PIDS=$(echo "$ZYGOTE_PID $ZYGOTE64_PID" | \xargs -n1 ps -o 'PID' -P | \grep -v PID);
for Z_PID in $ZYGOTE_PID; do
if [ -n "$Z_PID" ]; then
/system/bin/nsenter --mount=/proc/$Z_PID/ns/mnt -- /bin/mount --bind /data/local/tmp/tmp-ca-copy /system/etc/security/cacerts;
fi
done
for Z_PID in $ZYGOTE64_PID; do
if [ -n "$Z_PID" ]; then
/system/bin/nsenter --mount=/proc/$Z_PID/ns/mnt -- /bin/mount --bind /data/local/tmp/tmp-ca-copy /system/etc/security/cacerts;
fi
done
for PID in $APP_PIDS; do
/system/bin/nsenter --mount=/proc/$PID/ns/mnt -- /bin/mount --bind /data/local/tmp/tmp-ca-copy /system/etc/security/cacerts;
done;
|
Beta Was this translation helpful? Give feedback.
-
|
You can refer to Certificate injection |
Beta Was this translation helpful? Give feedback.
-
|
where to put this script tho?? |
Beta Was this translation helpful? Give feedback.
-
|
@Hamza-Khiar You can place the script in the |
Beta Was this translation helpful? Give feedback.
-
|
@CwithW I tried this and didn't work for one reason, so basically i am inserting the certs with magisk module, but when putting the shell script above in i checked the /tmp dir i didn't find my cert in there. the solution is to either put it in services.d so that it gets executed as a https://topjohnwu.github.io/Magisk/guides.html#boot-scripts https://topjohnwu.github.io/Magisk/details.html#paths-in-data the workaround works. |
Beta Was this translation helpful? Give feedback.
-
I put the script in |
Beta Was this translation helpful? Give feedback.
Try removing your target app in Magisk Exclusion List and disable all magisk hiding modules(eg. Shamiko, Magisk Delta, Magisk Hide in old versions of Magisk) first. If you still cannot use the CA cert or unwilling to disable magisk hiding module because your target app is detecting magisk, see below.
Some magisk hiding modules actively unmount bind mounts created by Magisk to hide the trace of Magisk. Somehow recent versions of Shamiko will unmount changes in
/system/etc/securityand cause the cert to disappear for apps in Magisk Exclusion List.You can make Shamiko and CA cert co-exist by manually bind mounting the cert yourself within the mount namespace of the apps.
I wrote a script th…