Install System Root Certificate¶

This API is used to install a system-level root certificate within your Android system and is compatible with all Android versions. You might be confused about the difference between the root certificate mentioned here and FIRERPA's service certificate. The FIRERPA service certificate is used to encrypt the communication traffic between FIRERPA and you, while the root certificate referred to here is a root certificate for the Android system. This certificate is used for the encryption and decryption of traffic such as HTTPS within the system. If you are familiar with packet sniffing, the root certificate here is the certificate used for that purpose. You can implement man-in-the-middle (MITM) packet sniffing by using the API in this chapter combined with the set proxy API. Of course, you can also choose to use our pre-packaged startmitm.py script. We are only introducing the implementation of this basic feature here.

Prerequisites¶

Please ensure you have the certificate provided by Fiddler or mitmproxy ready. For mitmproxy, the certificate you should use is mitmproxy-ca-cert.pem. For Fiddler, it might be in CRT format. You should be able to export this file from Fiddler. Simply provide the file path as an argument; you don't need to worry about any filename conversion issues. To avoid wasting unnecessary time, we recommend using mitmproxy. If you are using tools like Charles, we cannot guarantee that you can complete the setup in one go, because the configuration for such applications is more complex, and you may need to understand various proxy types to correctly configure an HTTPS MITM proxy. If you must use it, we recommend using Charles's SOCKS5 as the proxy protocol.

Install Root Certificate¶

Once you have the path to your prepared certificate file, you can directly use the following API to install the mitmproxy root certificate. Once installed, it will persist permanently and does not need to be reinstalled.

d.install_ca_certificate(cert_path)

Uninstall Root Certificate¶

You can call the following code to remove the custom root certificate installed on the device. We do not recommend frequent installation and uninstallation. If it's not necessary, you don't need to call this API.

d.uninstall_ca_certificate(cert_path)

The complete code is as follows (we will not repeat the instantiation of the d device instance):

import os

# Construct the path to the mitmproxy-ca-cert.pem file
HOME = os.path.expanduser("~")
cert_path = os.path.join(HOME, ".mitmproxy", "mitmproxy-ca-cert.pem")
# Taking mitmproxy as an example, use the following code to install the MITM certificate
d.install_ca_certificate(cert_path)

# Use the following code to uninstall the certificate
d.uninstall_ca_certificate(cert_path)

This certificate installation/uninstallation API is generic. You can use it to install any certificate that an application requires you to install. You can also use it to install the certificates required by Fiddler/Charles; just provide the file path. If you intend to sniff packets, you can then refer to the Set Proxy chapter and set the proxy to the address monitored by the MITM application.