Updated AndroidManifest.xml to trust user installed CA certificate #119
Conversation
As you may know later Android 7, Android SDK makes apps trust only CA certificates contained within system certificate store. It can be overrided so that applications can also trust user installed certificates (https://developer.android.com/training/articles/security-config#TrustingAdditionalCas). I saw that PowerTunnel already has an xml file in res/xml/ but it is not attributed in AndroidManifest.xml file hence I fixed it.
|
As far as I understand, specifying the Network Security Config will allow the application to trust all the certificates listed in the configuration - but there are no additional certificates other than those set in the system or user space, which are already trusted by default. Or am I missing something? |
Sorry if I mess up with technical details as I've just researched on this topic due to some specific issue, so maybe it is more adequate for me to tell it first. I was trying to use proxy mode on the app but the app prompts you to install Power tunnel root CA to function properly, now, afaik this is due to proxy utilizing some kind of encrypted connection (via TLS??) with host hence it needs a root CA authority within the system so it can authorize itself (actuate handshake protocol) for host to be able to connect to proxy. After this, proxy modifies the host's request that will be forwarded to actual website user wants to reach. At this stage proxy can do stuff such as using a custom DNS, DoH, SNI modifications, and other actions to circumvent Deep Packet Inspection system of ISP. Now onto my PR, so far as I know Android used to allow applications to accept user installed CA certificates prior to Android 7 and its corresponding API level, but as PowerTunnel builds upon Android API level 30 it is by default not accepting user installed CA certificates (by default apps only trust system default CA certificates) which interrupts the intended function of the app. Luckily there is a way to specify in Android Manifest.xml to app that it should also trust user installed CA certificates. I haven't dug deep down the options to adjust Network_Security_Config.xml, nonetheless, afaik the current file in place allows for PowerTunnel to accept User installed CA certificates—it just needs to be manifested in Android manifest to take effect. |
I think you have enabled some functionality that needs MITM, e.g. SNI Modification, - the certificate installation is needed to decrypt and re-encrypt the traffic. Or there are other problems with installing the certificate on Android 11+? |
You are right, what causes root CA installation dialog was indeed SNI modifications. I am not totally sure if there is really a genuine problem with installation of certificates, but in my experience despite I checked the user CA certificate store and confirmed that the root CA certificate file PowerTunnel provides was installed successfully, yet, the app never stops to present the same warning dialog which insists the user to install root CA Certificate even though it is already installed; therefore this made me question whether app detects and is able to take advantage of the CA certificates installed by the user and it came to this point where I suspect it is because of the restrictions AOSP made with Android 7 and the AndroidManifest.xml file of the app that didn't linked to network_security_config.xml |
|
Thanks for the research, it seems indeed I remember the issue where it asks to install a certificate despite already having it installed on Android 11+. Does adding Network Security Config fix this issue? |
The day I created this PR I tried compiling the program but had some issues with the build environment and it was late at night, had some other work to do, so I haven't been able to deal with it |
|
Thanks, I'll wait for a replay. |
|
I would like to additionally note that for me, even after installing the CA on Android 11 successfully, browsers still throw certificate errors and refuse connection. I have enabled "Use third party CA certificates" on Firefox and it worked with my other CA. I suspect that the CA generated by PowerTunnel might be missing some flags that are required by later versions of Android. The working CA I tested was created using mkcert. |
|
@krlvm I have the same issue with Android 12. After installing CA, The app doesn't detect it also websites seems to throw certificate error and refuse the connection. |
|
@theonlyfoxy I'm sorry I've sent a wrong file accidentally, try this, please: |
Still the same issue is happening. |
|
So this PR won't fix this I'm afraid :( |
So could you work on a fix? |
|
I'll see what I can do about it, at the moment I don't have Android 11+ devices where this problem occurs (well, there are, but I don't want to update them to Android 11). |
Well you could try on Android 12 Virtual Machine. |
|
@krlvm the same issue on Android 13. After installing the CA cert, PowerTunnel keeps showing the dialog saying to install CA. |
As you may know later Android 7, Android SDK makes apps trust only CA certificates contained within system certificate store. It can be overrided so that applications can also trust user installed certificates (https://developer.android.com/training/articles/security-config#TrustingAdditionalCas). I saw that PowerTunnel already has an xml file in res/xml/ but it is not attributed in AndroidManifest.xml file hence I fixed it.