I wanted to give Firefox for Android a try (I'm a long-time Chrome user), but after installing it from the Play Store, I discovered it refuses to load any website, always showing this security warning that cannot be ignored: This happens on all sites and only on Firefox for Android, the same sites load correctly in Chrome and also load correctly in Firefox running on a Windows computer that is on the same network as my Android device. Any clues as to why this is happening? I'm running Firefox 105.1.0 on Android 12.

I have an old Android 4.1 tablet running on a Rockchip processor. While it’s quite slow, it still works well enough to display a clock or a web dashboard. The problem is that I can’t browse the internet anymore. I believe this is because many modern websites (likely using CDNs and reverse proxies for load balancing) now require TLS 1.2 or 1.3, which isn’t supported by the outdated Chrome browser installed on this device. Unfortunately, I can’t update to a newer browser since they no longer support Android 4.1. Does anyone have suggestions on how I can enable web surfing again on this tablet?

I am actually trying to debug all the traffic going in and out on my phone. I am using Fiddler on my PC, and ProxyDroid on my phone to do this. HTTP traffic works fine. I am able to decrypt it completely. However, with HTTPS traffic, all I get is "Tunnel to : xxx.xxx.xx.xxx:443 ". Any idea how do I decrypt the traffic going through the HTTPS route? I installed the FiddlerRoot.cer on my phone through the default browser. Still no luck on decrypting the HTTPS traffic. P.S : I am talking about traffic from apps, and not through the browser. My Phone is running ICS and is rooted.

I want to install a reverse proxy useful because I want to put online my emby server on top of Android 14 using https on port 8920. I have fixed the 443 error in this way : sudo setcap CAP_NET_BIND_SERVICE=+eip $(which caddy) solution taken from here : https://serverfault.com/questions/807883/caddy-listen-tcp-443-bind-permission-denied and I removed the parameter “–disable-redirects” from the Caddyfile. now I run caddy with this command : /data $ sudo caddy run -c /data/Caddyfile the situation seems to be better,but caddy seems to does still run for some reason,but I don’t understand why : https://ibb.co/r6jw9Ss https://ibb.co/LrmDBy1 I don’t see errors,it should work,but when I open my website,at address : https://ziomario.ns0.it:8920 it says : unable to connect. why ? In the emby control panel I see : Lan Access = http://192.168.1.7:8096 (and it works) Wan Access = https://ziomario.ns0.it:8920 (and it does not work) In Network settings I chosen : LAN networks = empty local IP address = empty http local port = 8096 https local port = 8920 http public port = 8096 https public port = 8920 external domain = ziomario.ns0.it secure connection mode = managed by the reverse proxy. On my router I have opened ports : 8096,8920,443,80 in TCP and UDP mode… If you want to read the full story,I've opened a thread here : https://caddy.community/t/installing-ssl-https-using-a-reverse-proxy-like-caddy-on-android/25182 But it seems to be hard to be able to accomplish this task,so I took the decision to ask here,too,because I know that this place is full of qualified experts in every tech field. PS : actually this is my Caddyfile : nano /data/Caddyfile : ziomario.ns0.it { encode reverse_proxy 192.168.1.7:8096 }

I want to monitor the https traffic of an Android app downloaded from google play. This app can only be run at Android N and above. So I use Charles proxy and follow [this document](https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/) to modify the apk file. Here's what I have done: 1. Download the app from google play. 2. Use [apk extractor](https://play.google.com/store/apps/details?id=com.ext.ui&hl=en) to get the apk file of the app. 3. Run apktool d the_app.apk to extract the apk file. 4. Modify res/xml/network_security_config.xml and AndroidManifest.xml based on the description of [Charles Proxy document](https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/) . 5. Run apktool b the_app to package the files back to an apk file. 6. Install the apk on my Android phone, whose version is 8. 7. My phone says "App not installed". Why can't I install the modified apk on my phone? I've disabled Google Play Protect on my phone. The apktool is installed by following the [description here](https://ibotpeaches.github.io/Apktool/install/) . Is there anything I missed?

According to a well-regarded QA answer by a member of our Android community here on Stack Exchange: > By the current schedule, Let's Encrypt cross signing will end on September the 30th 2024. After this date Android 7.1 stock devices will become more or less useless for Internet surfing as all Let's encrypt based certificates will be considered untrusted and the connection will not be established. Has this schedule changed? I haven't seen any announcement of a change, but I've noticed that affected devices suddenly have certificate validation failures when trying to connect to many internet hosts. The problem seems to stem from Let's Encrypt R3, which is affected by the changes that were supposed to be effective much later this year. Is there any documentation as to why these devices are being affected earlier than planned? Are there any workarounds for non-rooted devices? Relevant: - https://letsencrypt.org/2024/03/19/new-intermediate-certificates - https://letsencrypt.org/2020/12/21/extending-android-compatibility.html - https://community.letsencrypt.org/t/lets-encrypt-new-intermediate-certificates/209498

In January 2021 all devices with Android prior to 7.1.1 will not be able to connect to HTTPS servers using Let's Encrypt certificate ([Let's Encrypt blog post explaining the details](https://letsencrypt.org/2020/11/06/own-two-feet.html)) Is there any workaround that's system-wide (i.e. all apps, not just a single app, like using Firefox) for the SSL certificate expiration on Jan 11th 2021? Assume that one has root access to their device, and that upgrading to a newer device is not an option.

I have two legacy Android 4.0 Garmin Monterra devices. It's not possible anymore to open the Google Play Store or some websites. When I open most of the websites with Chrome, I receive an SSL error 107. Some websites with HTTPS or HTTP are possible to open. I'm guessing that there is an issue with the CA certificates. I found this solution [Update trusted SSL root certs in AOSP](https://stackoverflow.com/q/68587205/2821954) , but it's not possible to copy the certificates to the devices. I tried the ADB-Shell but without any success (permission issue). Is there any solution to update expired certificates? Is it possible to convert the ca-certificates from the .0 file format to any other possible format and to import over the SD certificate import from Android 4.0?

I have enabled HTTPS filtering in AdGuard. I installed AdGuard's certificates, and the Magisk module that moves the certificates to the system store. Nevertheless, some apps don't work. Why is this? If the certificate is in the system store how can they tell the difference? Also is there a way to tell which apps actually use HTTPS?

Requestly.io currently allows to intersect the HTTP and HTTPS packets if requests are made from google chrome as the SSL certificates can not be installed for "VPN and App". How to inspect any android app's HTTP/HTTPS request using Requestly.io if the phone is running Android T (13)?

I want to setup this app called Http Toolkit and for some reason I have the warning "System Trust Disabled". My android 11 device is rooted using ksu . How do I trust a certificate on android device?

I tried asking this on xdaforums but did not get a useful answer so I thought I would try here. I've got some very old devices (used as wifi-only) that are starting to have issues connecting to (some but not all) modern websites. One runs FroYo, another Ice Cream Sandwich. They are both rooted and I have ADB working on both of them. Some of the sites in question are using very little javascript, so even the old browsers that can be installed on them used to connect okay until VERY recently. I have succeeded in updating the root certs on both of these, which has helped with some web sites, but not all. The troublesome change seems related to certificate updates on some of the websites. Where they used to be using TLS1.1 and certs based on SHA1, they have changed to TLS 1.3 and SHA256, which these old devices don't support. I should add that this is not just about browsers. There are similar issues with other apps like email, VoIP callling, XMPP clients, weather apps, pretty much anything that needs network access. There are also issues connecting to certain specific (but not all) wifi networks, I suspect a similar cause for this too. So, I want to update the version of libssl.so used on these devices. I have found some instructions on how to compile this, which looks like it will be an adventure unto itself (and maybe a separate topic for further questions). One helpful detail about devices this old, they do not yet use dm-verity, so at least I will not need to bother about dealing with that. Before I get too far down the compilation rabbit hole, assuming I manage to get it compiled correctly, is it really as simple as just dropping the replacement files into /system/lib ? Do I also need to update libcrypt.so at the same time? Or are there other items I would also need to update? Has anyone done this before, short of rebuilding the entire ROM?

I have an **Asus Transformer TF101** that is running **Android 4.0.3**. The tablet can connect websites in HTTP without issue but not in HTTPS. **Most HTTPS websites are totally unreachable.** Some websites (from large institutions) are reachable after accepting several certificat issues warnings, but display badly. The clock of the tablet was set correctly. I assume the issue has to see with how the tablet is able to deal with certificates, and also with its aging native Internet browser (which is not apparently not Chrome). **I unsuccessfully attempted upgrading the tablet firmware**, but got an error message "**Internet connection error or server busy**. Please wait and try again". I assume this issue could be caused by disabled upgrade server and/or SSL certificate issues. **Is there still a way to upgrade such a tablet**, preferably without jailbreaking it?

Using a Pixel 6a, running Android 13. I am trying to install certificates from a private CA I have established on the internal network. I was able to install the root certificate by doing the following: Settings > Security & Privacy > More security settings > Encryption & credentials > Install a certificate From there I am able to select the ca.crt file I had copied from the CA server. I can see this new certificate when I hit "Trusted credentials" under the "User" section. When I try to repeat those exact same steps to add a server specific cert, it's never added as I can't see it under "Trusted credentials". There is no error NOR a confirmation that this certificate was applied successfully. Edit: When I successfully install the CA cert, I get a small tooltip/popup saying it's been installed successfully. When trying to install the non-root certs, I get no confirmation, and am simply returned to the previous UI view.

I've extracted an apk(react native) with dex2jar and jar to java through jd-qui and also with apktool, and I can view the source code but there is no clue where are the HTTP requests in the source code. When I intercept the apk traffic I can see all the requests to graphql endoint but I cannot see in the source code, where they are triggered or stored. I searched the extracted source code with some keywords such as grahpql endpoint name, and the server address but still no result. And the code seems not obfuscated to me, just some parts are like;

@Metadata(d1 = {"\000\026\n\002\030\002\n\002\020\000\n\000\n\002\020\002\n\000\n\002\030\002\n\000\bf\030\0002\0020\001J\020\020\002\032\0020\0032\006\020\004\032\0020\005H&\006\006"}, d2 = {"Lcom/shopify/arrive/E2EModule;", "", "launch", "", "intent", "Landroid/content/Intent;", "app_release"}, k = 1, mv = {1, 7, 1}, xi = 48)
public interface E2EModule {
  void launch(Intent paramIntent);
}

Is there any way to reach where these requests are triggered or stored on the source code? This is the apk name, com.shopify.arrive

At my school, when logging into wifi for the first time, we enter our ID & password into a normal wifi login page, then we download a certificate. I cannot confirm if the certificate changes depending on which student logs in. After downloading the certificate, we must install it as a **Trusted Root CA Certificate**. My Samsung phone says that "your network may be monitored" after installing this certificate. My main question is if this can: 1. Allow the school to see what websites i visit 2. Cause security vulnerabilities 3. Slow down my web browsing 4. Route my internet traffic through a middle man Thanks everyone for the help

I'm looking for a way to bypass a target app using a non-system certificate. The HttpCanary app itself does give a 'solution' however it's incredibly unclear:

Goto Settings->HttpCanary root CA settings and export HttpCanary.pem, and then reverse the target app to replace the cacert file.

I feel like I've looked all over, but it seems like no one is talking about it. I've looked into the AndroidManifest.xml of the app to find the certificates the app uses, but that just pointed me to the system and user certificates. Next I looked into /data/data//files/ of the app which does contain a Certificates.pem file, which contains a list of different certificates, so maybe if I replace it with HttpCanary's certificate it could work? Anyway, I'd appreciate any insight on this. If you'd prefer to discuss it in private just let me know. Thank you for any help.

I have a Root CA (airgapped, openssl) that I use for a lot of internal lab projects. In the past, I've just imported the CA cert into the User credentials store on Android and the system began trusting it immediately. I just wiped my phone and now, on Android 11, I'm unable to get this Root CA trusted the way it was before. The CA cert definitely has the CA:TRUE extension:

$ openssl x509 -in root.crt -noout -text|grep -B2 TRUE
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE

The Server cert that's presented in the SSL exchange matches the DNS name and also includes the same name in the SAN extension:

(...)
        Issuer: O =  Lab Root CA, emailAddress = , L = , ST = , C = US, CN =  Lab Root CA
        Validity
            Not Before: Aug 13 11:39:55 2020 GMT
            Not After : Aug 13 11:39:55 2023 GMT
        Subject: C = US, ST = , CN = 
(....)
            X509v3 Subject Alternative Name: 
                DNS:

The server I'm testing with correctly chains the cert in the TLS response, and this setup works great across a bunch of browsers and OS combinations in the desktop world (and worked until recently on Android). I've tried the following: - Import the Root CA Certificate through the normal "Import from SD Card" method. The CA imports properly, but Chrome still gives invalid authority browser warnings. - (Rooted) moving the imported cert from the user /data/misc/user/0/cacerts-added imported credentials folder to /system/etc/security/cacerts. The CA appears correctly in the "System" tab of Trusted Credentials, but still doesn't work in chrome - Manually crafting the DER-encoded file into the System cacerts folder. Chrome still doesn't work. - Following the example of some PEM-encoded trusted CA certs already on the system, crafting my own and putting it into System cacerts. Chrome still doesn't work. - I tried using a Magisk module to move User trusted certs to the System store. This module worked as described, and moved my Root CA into the System tab, but Chrome still didn't want to trust for SSL and continues to give out browser warnings. Some other observations: - Running curl -vv https:// via adb constantly complains about SSL certificate problem: self signed certificate in certificate chain even though the CA that the certificate is signed by is in the Trusted credentials store. - The CA trust chain definitely works fine in desktop browsers, and via openssl s_client on a desktop (Verify return code: 0 (ok) when the Root CA is imported into the desktop trust) - I've cleared Chrome's app storage every time I go to test after making a change. No dice. Is there anything else I can try or a setting that I've missed? It's very annoying to not be able to manage trusted Root CAs on Android 11 like I used to. I'd rather not have to turf the whole airgapped, comprehensive SSL CA that I've set up for something like Let's Encrypt just because of Android compatibility so please don't suggest that as an alternative. There are lots of internal-only endpoints in this lab and my public DNS provider doesn't support automation for dns-01 ACME, so it would be a really big pain to proxy and juggle these certs. Here's a sample of what one of the server certs looks like:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4123 (0x101b)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O =  Lab Root CA, emailAddress = , L = , ST = , C = US, CN =  Lab Root CA
        Validity
            Not Before: Dec 23 13:06:42 2021 GMT
            Not After : Dec 22 13:06:42 2024 GMT
        Subject: C = US, ST = , CN = monitoring.lab.
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
(...)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                (...)
            X509v3 Authority Key Identifier: 
                keyid:(...)
                DirName:/O= Lab Root CA/emailAddress=/L=/ST=/C=US/CN= Lab Root CA
                serial:(...)

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:monitoring.lab.
    Signature Algorithm: sha256WithRSAEncryption
(snip)

When browsing the internet using the Wi-Fi hotspot of my Android phone (**Xiaomi Redmi Note 10 Pro**), some requests fail with the following error: net::ERR_SSL_PROTOCOL_ERROR Here is a screenshot of the error I'm getting in Chrome for Mac OS: I noticed that it is happening only on specific websites (I have no issues on Stack Overflow for example). This also seems to be happening regardless of the LTE network quality. I tried using the Wi-Fi hotspot from another phone, and everything is working as intended. I'm using a Xiaomi Redmi Note 10 Pro running MIUI 12.5.6, and I'm browsing on Chrome on Mac OS 10.14.6. Anybody have an idea on how to debug this issue? Thank you

I'm using Asus Memo Pad (ME172V) running Android 4.1.1. Apps (Facebook, Play Store, Yahoo! Mail, Skype, etc) cannot access the WiFi network. I can browse using Chrome (except for SSL sites) and can use the YouTube app. Tried: - Rebooting via safe mode - Clear app cache - Removing and adding accounts