Android 7.0 or later HTTPS packet capture failure solution

The phenomenon of

Android7.0 or higher HTTPS packet capture failure (HTTPS certificate installed also does not work)

why

New certificate validation (system certificate) for android7.0+

The solution

Prerequisites: HTTPS security certificates must be installed on both mobile phones and PCS. Configuration: All certificates (system and user) are trusted by default when the test package is sent. Create a file called network_security_config. XML in the project res-xml directory with the following contents:

<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" overridePins="true" />
            <certificates src="user" overridePins="true" />
        </trust-anchors>
    </base-config>
</network-security-config>
Copy the code

2. Add the following code to the AndroidManifest TAB:

android:networkSecurityConfig="@xml/network_security_config"
Copy the code

Repackage the project and capture it.

The WebView failed to capture packets. Procedure

If you want to capture a webview, you need to comment out a line of code in webView’s WebViewClient:

super.onReceivedSslError(view, handler, error)
Copy the code

This is to ignore SSL certificate errors, because the network becomes insecure when the proxy is enabled, the certificate will report errors, and the WebView does not request any data when it detects certificate errors. Comments are made to ignore processing by the parent class and are executed by default.

warning

This configuration operation is sensitive and dangerous. It can only be used in the test environment to facilitate packet capture. You must restore the configuration of online packets. Postscript There is another way to ignore the SSL certificate error and continue loading the page by reloading the WebViewClient onReceivedSslError() function and executing handler.proceed() in it:

WebView webview = (WebView) findViewById(R.id.webview);
webview.setWebViewClient(new WebViewClient() {
    @Override
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
        // Do not call super.onReceivedsslError because it contains a handler.cancel() that cannot be loaded on the first visit and can be loaded after the second
        // super.onReceivedSslError(view, handler, error);
        // Ignore the SSL certificate error and continue loading the pagehandler.proceed(); }}Copy the code