httptoolkit
Unexpected TLS failure
I've noticed that some functionality doesn't work if I enable proxy, such as regarding functionality using the Google map APIs (with the app I'm currently testing).
For example, if I clear all app cache and data before enabling intercept proxy, the map on the app is plain white. Only when I turn off the proxy, the map is loaded in the next intercept session but it seems that it still doesn't work in the map function (although it still intercepts other packets, sometimes it works, sometimes it doesn't).
Error message as below:
!!! --- Unexpected TLS failure --- !!!
CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Thrown by com.android.org.conscrypt.TrustManagerImpl->verifyChain
[ ] Unrecognized TLS error - this must be patched manually
!!! --- Unexpected TLS failure --- !!!
SSLPeerUnverifiedException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Thrown by xr.b->a
[ ] Unrecognized TLS error - this must be patched manually
!!! --- Unexpected TLS failure --- !!!
CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Thrown by com.android.org.conscrypt.TrustManagerImpl->verifyChain
[ ] Unrecognized TLS error - this must be patched manually
!!! --- Unexpected TLS failure --- !!!
SSLPeerUnverifiedException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Thrown by xr.b->a
[ ] Unrecognized TLS error - this must be patched manually
The app I'm trying to understand how it works is a ride-hailing app. It uses SSL Pinning (however at rudimentary level).
Do you have any suggestions for me in this case?
Can you share the full command line you're running? The Android version of your device and the details of the app you're intercepting would also be helpful, and the details of how it's set up (how it's rooted, whether your cert is injected into the system CA store and how, etc)
What proxy are you using? I think I've seen similar issues when HTTP/2 isn't actively used with google maps specifically (I think they make some connections which say via ALPN that they work with HTTP/1.1 or HTTP/2, but do actually require HTTP/2, which causes problems). It would be interesting to test forcing HTTP/2 to check this (in HTTP Toolkit, under the Pro settings, select 'Enabled for all clients' under 'HTTP/2 support').
xr.b->a is definitely interesting anyway. If you open that up with JADX (here's a guide: https://httptoolkit.com/blog/android-reverse-engineering/) is the code for that method anything recognizable? If you try googling any visible strings etc you may find it's an obfuscated version of a known pinning technique, and we could improve the auto-unpinning to catch that.
com.android.org.conscrypt.TrustManagerImpl->verifyChain is more surprising. You'll need to do some debugging to see what's up there. What should happen is that this code in android-system-certificate-injection.js ensures that all TrustManagerImpls have the given certificate pre-trusted (because they all use the index implementations listed in that hook). I'm not aware of any cases where that doesn't work, but it may depend a bit on the command & setup you're using.
