Ensure Chrome on Android doesn't validate our cert for Cert Transparency

Author: pimterry

src/interceptors/android/adb-commands.ts

@@ -250,7 +250,7 @@ export async function injectSystemCertificate(
             echo "System cert successfully injected"
         `),
         injectionScriptPath,
-        // Due to an Android bug - user mode is always duplicated to group & others. We set as read-only
+        // Due to an Android bug, user mode is always duplicated to group & others. We set as read-only
         // to avoid making this writable by others before we run it as root in a moment.
         // More details: https://github.com/openstf/adbkit/issues/126
         0o444
@@ -261,6 +261,41 @@ export async function injectSystemCertificate(
     console.log(scriptOutput);
 }
 
+export async function setChromeFlags(
+    adbClient: adb.AdbClient,
+    deviceId: string,
+    rootCmd: string[],
+    flags: string[]
+) {
+    const flagsFileContent = `chrome ${flags.join(' ')}`;
+
+    const chromeFlagsLocations = [
+        'chrome',
+        'android-webview',
+        'webview',
+        'content-shell'
+    ].flatMap((variant) => [
+        `/data/local/${variant}-command-line`,
+        `/data/local/tmp/${variant}-command-line`,
+    ]);
+
+    await Promise.all(chromeFlagsLocations.map((flagsFilePath) =>
+        pushFile(
+            adbClient,
+            deviceId,
+            stringAsStream(flagsFileContent),
+            flagsFilePath,
+            // Due to an Android bug, user mode is always duplicated to group & others. We set as read-only
+            // to avoid making this writable by others.
+            // More details: https://github.com/openstf/adbkit/issues/126
+            0o444 // Read-only for everybody
+        )
+    ));
+
+    // Restart chrome, now that the flags have been changed:
+    await run(adbClient, deviceId, rootCmd.concat('am', 'force-stop', 'com.android.chrome')).catch(() => {});
+}
+
 export async function bringToFront(
     adbClient: adb.AdbClient,
     deviceId: string,

src/interceptors/android/android-adb-interceptor.ts

@@ -16,7 +16,8 @@ import {
     injectSystemCertificate,
     stringAsStream,
     hasCertInstalled,
-    bringToFront
+    bringToFront,
+    setChromeFlags
 } from './adb-commands';
 import { streamLatestApk, clearAllApks } from './fetch-apk';
 import { parseCert, getCertificateFingerprint, getCertificateSubjectHash } from '../../certificates';
@@ -185,24 +186,32 @@ export class AndroidAdbInterceptor implements Interceptor {
             const subjectHash = getCertificateSubjectHash(cert);
             const fingerprint = getCertificateFingerprint(cert);
 
-            if (await hasCertInstalled(this.adbClient, deviceId, subjectHash, fingerprint)) {
+            if (!await hasCertInstalled(this.adbClient, deviceId, subjectHash, fingerprint)) {
+                const certPath = `${ANDROID_TEMP}/${subjectHash}.0`;
+                console.log(`Adding cert file as ${certPath}`);
+
+                await pushFile(
+                    this.adbClient,
+                    deviceId,
+                    stringAsStream(certContent.replace('\r\n', '\n')),
+                    certPath,
+                    0o444
+                );
+
+                await injectSystemCertificate(this.adbClient, deviceId, rootCmd, certPath);
+                console.log(`Cert injected`);
+            } else {
                 console.log("Cert already installed, nothing to do");
-                return;
             }
 
-            const certPath = `${ANDROID_TEMP}/${subjectHash}.0`;
-            console.log(`Adding cert file as ${certPath}`);
+            const spkiFingerprint = generateSPKIFingerprint(certContent);
 
-            await pushFile(
-                this.adbClient,
-                deviceId,
-                stringAsStream(certContent.replace('\r\n', '\n')),
-                certPath,
-                0o444
-            );
-
-            await injectSystemCertificate(this.adbClient, deviceId, rootCmd, certPath);
-            console.log(`Cert injected`);
+            // Chrome requires system certificates to use certificate transparency, which we can't do. To work
+            // around this, we need to explicitly trust our certificate in Chrome:
+            await setChromeFlags(this.adbClient, deviceId, rootCmd, [
+                `--ignore-certificate-errors-spki-list=${spkiFingerprint}`
+            ]);
+            console.log('Android Chrome flags set');
         } catch (e) {
             reportError(e);
         }