com.android.org.conscrypt.OpenSSLX509CertificateFactory$ParsingException: inStream is empty

[patrikschmidtke]

I am trying to use this for capital.scalable.droid (https://play.google.com/store/apps/details?id=capital.scalable.droid).

I start it with:

PACKAGE_ID=capital.scalable.droid
frida -U \
    -l ./config.js \
    -l ./native-connect-hook.js \
    -l ./native-tls-hook.js \
    -l ./android/android-proxy-override.js \
    -l ./android/android-system-certificate-injection.js \
    -l ./android/android-certificate-unpinning.js \
    -l ./android/android-certificate-unpinning-fallback.js \
    -f $PACKAGE_ID

However, HTTPs connections are not working, it is just loading indefinitely. The log looks like this:

== System certificate trust injected ==
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==

 !!! --- Unexpected TLS failure --- !!!
Manually intercepting connection to ::ffff:35.241.3.184:443
      CertificateException: com.android.org.conscrypt.OpenSSLX509CertificateFactory$ParsingException: com.android.org.conscrypt.OpenSSLX509CertificateFactory$ParsingException: inStream is empty
      Thrown by com.android.org.conscrypt.OpenSSLX509CertificateFactory->engineGenerateCertificate
      [ ] Unrecognized TLS error - this must be patched manually
Manually intercepting connection to ::ffff:35.241.3.184:443
Manually intercepting connection to ::ffff:64.233.166.94:443
Manually intercepting connection to ::ffff:64.233.166.94:443

The proxy (mitmproxy) logs messages like:

Client TLS handshake failed. The client does not trust the proxy's certificate for secure.scalable.capital (OpenSSL Error([('SSL routines', '', 'sslv3 alert certificate unknown')]))

Any idea what might be the issue? Thank you!

[pimterry]

I'd guess that this probably means that they're trying to manually read the raw certificate from the connection for custom certificate validation and that's failing due to one of the hooks (though I'm not sure which) stubbing the connection setup process in a way that breaks this.

That means this error could be avoided by fixing that hook, but you're probably still going to need a custom hook for the custom validation logic here regardless.

To work out exactly what's going on here, you'll need to tweak the scripts to print a full stack trace when this happens, and then reverse engineer the app (guide here: https://httptoolkit.com/blog/android-reverse-engineering/) to go through the relevant code and understand how that's being called and how to disable it. Try working through the guide and see if you make any progress there, let me know if you have any specific questions. If you come up with any general purposes fixes, do please share them so the scripts here can be updated (but if it ends up being a very app specific hook, that's probably something you'll need to maintain yourself separately).