PINDROP BLOG

Bypassing the CA Restrictions in Android Nougat

One of the new security features Google added to Android Nougat is a function that prevents the OS from trusting by default any user-installed certificate authorities. The goal is to protect the traffic to and from apps, but a researcher has found a way around that protection and a method to intercept HTTPS traffic from apps on Nougat.

Google said last week that it had made the change in Nougat as part of a major overhaul of Android’s security model. The idea is to prevent attackers and malicious or careless app developers from setting up a system to man-in-the-middle HTTPS traffic.

“To make it easier for apps to control access to their secure network traffic, user-installed certificate authorities and those installed through Device Admin APIs are no longer trusted by default for apps targeting API Level 24+,” Xiaowen Xin of the Android security team said.

Security researchers Vikas Gupta decided to take a look at how the system works in practice. Nougat, which began rolling out last week to most users, ships with its own trusted CA store, and those CAs are the only ones trusted by default. Gupta began looking for a way to force Nougat to trust another CA and then intercept the secure traffic to and from an app.

His initial effort did not go well.

“So with a task in hand, I picked up an open source Android application and compiled with target SDK Level 24 (for Android 7.0). I prepared a release build and installed on a device running Android 7.0. I used mitmproxy for the job to intercept network traffic. And to no surprises, the application was not able to connect and reported no internet connectivity,” Gupta wrote in an explanation of the research.

After looking though Google’s public materials on the feature, Gupta settled on the idea of modifying the network security configuration file in Nougat.

“We need to decompile the application using apktool and introduce a network_security_config.xml (shown below) file at res/xml folder of the application.  Recompile the application with apktool again, sign it using jarsigner and we are good to go,” he said.

Although his method for bypassing the CA trust restrictions worked and he was able to intercept the HTTPS traffic, Gupta said the approach has some drawbacks, specifically the need to modify the app and install it manually on a target device.

“To intercept the traffic, apk file need to be changed and reinstalled. The modified apk will not be signed by original developer’s certificate and also this modified apk has to be installed by the user manually (not via Google play),” Gupta said by email.

“Google can defend in theory by just not allowing CA authorities apart from [the ones] trusted by OS. But that won’t be practical for various purposes, including debugging while [in] development.”