movecert
movecert copied to clipboard
Magisk-Modules-Repo
Certificate Transparency issue with Chrome 99+
It looks like the configuration provided by this module is in conflict with Chrome 99+ on Android. This is due to the new Certificate Transparency enforcement that went live in Android's Chrome 99 on March 1, 2022. https://support.google.com/chrome/a/answer/7679408
This is just an FYI - I'm not sure what the best path forward is on this.
See below for the error received when proxying traffic when using the movecert module. This is with Burp Suite on Chrome 99+ on Android 11. Duplicated on Android 12.
See here for more info on the issue. The only fix seems to be installing certificate in both user store and system store. https://github.com/AdguardTeam/AdguardForAndroid/issues/4124#issuecomment-1065939813
Awesome thanks @wrongway213
The answer as I understand it: install the certificate in both locations, the System store and the User store. Then hide the System store version from Chrome using Magisk -> Settings -> Zygisk (Beta) + Enforce DenyList + Configure DenyList for Chrome (system app).
If I get this working I'll add more fidelity here with screenshots and steps.
You're very welcome @andyacer but there's one major issue: Hiding Chrome in Magisk is known to cause a wide array of issues. What is needed is a solution that allows the certificate to reside both in user and system store, without hiding Chrome from Magisk. It appears the certificate needs to actually be installed in both locations, with a mechanism to make browser(s) fall back to the user certificate.
Btw. the issue is also discussed here https://forum.portswigger.net/thread/android-chrome-99-certificate-transparency-feature-blocks-burp-certificate-929ab74d I would appreciate it if the script would change from "Move" (mv) to "Copy" (cp) as a minimum
PR has been submitted with a fix for the Chrome CT issue.
This fix changes the behavior of this script to copy instead of move the certificate. The certificate now resides both in the System store and the user store. By using Zygisk and the Enforce DenyList feature to hide Magisk from Chrome, this seems to fully address this problem.
Recommended way to use this module:
- Install the updated Move Certificates module.
- Install the desired certificate to user store.
- In Magisk, enable Zygisk, enable Enforce DenyList and then add Chrome to the DenyList.
- Reboot your phone.
- Chrome should work using the certificate in the user store, and all the other apps should work using the certificate in the system store.
- If you want to add any other apps later, just add them to the Magisk Hide list/DenyList, then force stop that app. Next time it launches it should use the certificate in the user store. Removal works the same way.
PR has been submitted with a fix for the Chrome CT issue.
This fix changes the behavior of this script to copy instead of move the certificate. The certificate now resides both in the System store and the user store. By using Zygisk and the Enforce DenyList feature to hide Magisk from Chrome, this seems to fully address this problem.
Recommended way to use this module:
- Install the updated Move Certificates module.
- Install the desired certificate to user store.
- In Magisk, enable Zygisk, enable Enforce DenyList and then add Chrome to the DenyList.
- Reboot your phone.
- Chrome should work using the certificate in the user store, and all the other apps should work using the certificate in the system store.
- If you want to add any other apps later, just add them to the Magisk Hide list/DenyList, then force stop that app. Next time it launches it should use the certificate in the user store. Removal works the same way.
good answer, thank you
Hi, I have created a module to solve this via Chrome flags. https://github.com/JelmerDeHen/MagiskBypassCertificateTransparencyError
