diff --git a/doc-src/certinstall/android-proxydroidinstall.png b/doc-src/certinstall/android-proxydroidinstall.png deleted file mode 100644 index f84c9eefc..000000000 Binary files a/doc-src/certinstall/android-proxydroidinstall.png and /dev/null differ diff --git a/doc-src/certinstall/android-proxydroidsettings.png b/doc-src/certinstall/android-proxydroidsettings.png deleted file mode 100644 index 70a73d2d2..000000000 Binary files a/doc-src/certinstall/android-proxydroidsettings.png and /dev/null differ diff --git a/doc-src/certinstall/android.html b/doc-src/certinstall/android.html index 3f57c39e3..852938cee 100644 --- a/doc-src/certinstall/android.html +++ b/doc-src/certinstall/android.html @@ -4,9 +4,9 @@ embarrasment](http://code.google.com/p/android/issues/detail?id=1273). It's scarcely credible, but Android didn't have a global proxy setting at all until quite recently, and it's still not supported on many common Android versions. In the meantime the app ecosystem has grown used to life without this basic -necessity, and many apps merrily ignore it even if it's there. The upshot is -that in many cases the only way to make interception work on Android is to do -it without relying on the proxy settings. +necessity, and many apps merrily ignore it even if it's there. This situation +is improving, but in many circumstances using [transparent +mode](@!urlTo("transparent.html")!@) is mandatory for testing Android apps. We used an Asus Transformer Prime TF201 with Android 4.0.3 in the examples below - your device may differ, but the broad process should be similar. @@ -16,7 +16,7 @@ Installing the mitmproxy certificate ==================================== The first step is to install mitmproxy's interception certificate on the -Android device. In your ~/.mitmproxy directory, there should be a file called +Android device. In your ~/.mitmproxy directory, there is a file called __mitmproxy-ca-cert.cer__ - we need to transfer this file to __/sdcard/Downloads__ on the Android device. If this file doesn't exist for you, your certs were generated with an older version of mitmproxy - just copy @@ -51,53 +51,3 @@ settings, you're just about done - simply configure the settings to point at mitmproxy. If not, proceed to the next step... -Working around Android's proxy shortcomings -=========================================== - -In response to Android's proxy situation, a number of apps have been created to -duct-tape proxy support onto the OS. These tools work by running a rudimentary -local proxy on the device, and forwarding all traffic destined for HTTP/S ports -to it using iptables. Since the proxy is running locally, it can detect what -the final IP address of the redirected traffic would have been. The local proxy -then connects to a user-configured upstream proxy, and initiates a proxy -CONNECT request to the destination IP. - -Now, if the configured upstream proxy is mitmproxy, we have a slight problem. -Proxy requests from the Android device in this scheme will specify only the -destination IP address, __not__ the destination domain. Mitmproxy needs the -target domain to generate a valid interception certificate. The solution is -mitmproxy's [upstream certificate](@!urlTo("upstreamcerts.html")!@) option. -When this is active, mitmproxy makes a connection to the upstream server to -obtain the certificate Common Name and Subject Alternative Names. - -Adding all this together, we can achieve reliable Android interception with -only a few more minutes of setup. The instructions below show how to set up an -Android device with -[ProxyDroid](https://play.google.com/store/apps/details?id=org.proxydroid) (the -local "duct-tape" proxy implementation) to achieve interception. - -Install ProxyDroid ------------------- - -First, root your device - this is required to install ProxyDroid. Then install -ProxyDroid from the Google Play store: - - - -You will be prompted for super-user access, which you must allow. Next, enter -the ProxyDroid settings, and change the proxy settings to point to your -mitmproxy instance. When you're done, it should look something like this: - - - -In this case, our mitmproxy instance is at the host __maru.otago.ac.nz__, -running on port __8080__. - -When you start mitmproxy, make sure that the upstream certificate option is set -(use the _--upstream-cert_ command-line option, or enable it interactively -using the _o_ shortcut): - -
-mitmproxy --upstream-cert
-
-