Ding, hidden BUG triggered successfully

Recently, after testing the Release package, I used the Charles agent project, and accidentally found that the agent failed on some devices. And very speechless is, at that time the scene is around the small partners did not appear this problem, only I always failed. It was strangely familiar, and I knew I was about to trigger another hidden BUG.

Take a look at the specific performance of proxy failure:

Client SSL handshake failed: An unknown issue occurred processing the certificate (certificate_unknown)

  • Android 6.0 Debug and Release versions work properly
  • Android 7.0 Debug The agent version works properly, but the release version fails
  • Android 8.0 DEBUG The agent works properly, but the release version fails

The application tag in androidmanifest.xml contains an attribute that I have never seen before. NetworkSecurityConfig:


<application
       android:networkSecurityConfig="@xml/network_security_config"/ /... Other attributes omitted > //.... </application>Copy the code

The contents of res/ XML /network_security_config. XML are as follows:

<? xml version="1.0" encoding="utf-8"? > <network-security-config> <debug-overrides cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </debug-overrides>
</network-security-config>

Copy the code

In my opinion, debug-overrides almost have the effect of uppercase bold, so I guess that release cannot be proxy for this reason.

Then I commented it out, replaced it with

, re-tried the release package, and sure enough it worked.

After solving the problem, there are still a few questions in mind:

  • What is networkSecurityConfig?
  • Why is Android 6.0 working and Android 7.0 not?

Happily, these questions are well explained in the official documentation – Network security configuration. Here are the answers I gave myself.

The significance of networkSecurityConfig

The official documentation explains it:

The network security configuration feature allows applications to customize their network security Settings in a secure declarative configuration file without modifying application code

NetworkSecurityConfig is the network security configuration feature, and res/ XML /network_security_config. XML is the related custom configuration file.

There are four things you can do in a custom configuration file:

  • Custom trust anchor: Customize which certificate authorities (cas) are trusted for the application’s secure connections.

    The corresponding tag is
    , which also appeared above, with a certificate of trust in the middle. The supported certificates can be classified into system, user, and RAW/XXX, which are device system certificates. Device users add certificates and apply certificates configured in the RAW folder.

  • Debug override only: Debug secure connections in an application in a safe manner without increasing the risk to installed users.



    < debuggable = true




  • Plaintext communication Select Exit: Prevents applications from using plaintext communication accidentally.

    Is above the cleartextTrafficPermitted = “true”, meaning is whether to allow clear transmission, such as HTTPS communication suddenly appeared in the HTTP clear communication, can use this attribute decision is allowed to continue to communicate or exit directly.

  • Certificate fixation: Restrict the application’s secure connections to a specific certificate.

    The tag used is . I don’t know when this will be used. If you are interested, you can read the official documentation.

Why did Android 7.0 require special handling from the start?

For network security reasons, by default, applications for Android 7.0 begin to trust only the certificates provided by the system and no longer trust the certificates added by the user.

The default configuration is as follows:

The Android 7.0 or higher:

<base-config cleartextTrafficPermitted="true">
    <trust-anchors>
        <certificates src="system" />
    </trust-anchors>
</base-config>

Copy the code

“Android 7.0:

<base-config cleartextTrafficPermitted="true">
    <trust-anchors>
        <certificates src="system" />
        <certificates src="user" />
    </trust-anchors>
</base-config>

Copy the code

When Charles proxy HTTPS is used, a CHARLES-SSL certificate must be installed on the phone. This certificate is a user-level certificate. So, in the same case, Android 6.0 can be proxy success, Android 7.0 and above all show Lient SSL Handshake failed. So if you want to proxy Android 7.0 or later, you need to manually set the Application networkSecurityConfig property.

Obviously, in the case I encountered, this problem had already been discovered by other partners, but I don’t know why the limitation of

caused the above problem. After communication with relevant colleagues, there is no need to add this restriction and it has been removed. However,

is a good security solution for those with relevant security requirements.

Write in the back

Recently had a new job, because want to be familiar with the project code and work flow and rhythm, haven’t updated the blog and the public for a long time, very grateful to the friends haven’t take off me, and also received a few let a person very touched of DMS, and one very love a girl, but see a delay time, no longer can’t reply within 24 hours, very sorry.

All in all, thank you friends, next blog and public account will be updated normally, welcome to like, message, private communication oh!

Finally, happy Halloween!

Welcome to pay attention to the wechat public account of the blogger, quickly join oh, look forward to growing up with you!