HTTPS Filtering on Android 8.1

Discussion in 'Technical Support (AdGuard for Android)' started by Nzyme, Apr 17, 2019.

  1. Nzyme

    Nzyme Active Member

    Joined:
    May 3, 2017
    Messages:
    1,101
    So I bought this new Android TV Box running Android 8.1 (Oreo) that is rooted and installed AG (latest nightly). I even configured the HTTPS filtering setting and installed the AG certificate. However, when I looked under 'Apps Management' > Any App > HTTPS filtering, I see that this setting is disabled for all the apps. Trying to enable this setting shows a warning about the app not trusting the certificate or something. Does that mean that AG is not filtering the HTTPS traffic for all these apps? How can I enable HTTPS filtering for all the apps (system & installed)?
     
  2. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    4,163
    Since you're rooted, you need to move AG's certificate to the system store for it to work correctly. What are you using for root, Magisk perhaps? If so, you can install the move certificates module in the Magisk Manager app. If using something else (e.g. SuperSU) you can find the Move Certs app and use that.
     
  3. Nzyme

    Nzyme Active Member

    Joined:
    May 3, 2017
    Messages:
    1,101
    The box came rooted and in fact there is a setting in Android system settings that will allow me to toggle the 'Root' on or off. I tried setting that switch to off (unrooted) and then tried to check the HTTPS filtering option under Apps Mgmt but it still shows the message. So the question really is:

    1. In which environment does AG work to it's full potential (rooted/unrooted)?
    2. In 'Filtering Method', should I be using Local VPN/Local HTTP Proxy considering that I am rooted?
    3. How can I move AG's certificate to the system store? I am not sure how was this rooted (SuperSU/Magisk). Is there a way to find out?

    Thanks!
     
  4. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    4,163
    1. Rooted, with the certificate moved to the system store. By default the certificate is installed in the user store, but lots of apps don't trust user certificates anymore.
    2. Doesn't really matter, but Local HTTP Proxy if you're going to use a VPN.
    3. AG itself has an option to move the certificate to the system store once rooted (and AG is granted root permissions). Settings > Network > HTTPS Filtering > Security Certificate and there it should give the option to move it to the system store. If it doesn't, try using the Move Certs app - I'd recommend getting it from the F-Droid app store since it isn't in the Play Store anymore.
     
  5. Nzyme

    Nzyme Active Member

    Joined:
    May 3, 2017
    Messages:
    1,101
    Ok, thanks. Let me try this
     
  6. Nzyme

    Nzyme Active Member

    Joined:
    May 3, 2017
    Messages:
    1,101
    works great. Thanks
     
  7. Nzyme

    Nzyme Active Member

    Joined:
    May 3, 2017
    Messages:
    1,101
    I observed that when I use the HTTP proxy option I see a message in the Apps management page

    The firewall functionality is limited in the proxy mode

    However I did not find any setting to be disabled for any of the apps. What functionality is disabled?
     
  8. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    4,163
    Yeah, the firewall feature of AG for Android won't work while using the local HTTP proxy option.
     
  9. Nzyme

    Nzyme Active Member

    Joined:
    May 3, 2017
    Messages:
    1,101
    Do you mean that when I use the HTTP proxy option, the settings under the 'Firewall' section of an app (in 'Apps Management' page) won't have any effect?

    Ex: In the Apps Management page, tapping on an app and then scrolling down to the 'Firewall' section has few fields (Cellular data, WiFi data, when screen off, etc.). If HTTP proxy is used, then all these settings will not have any effect? If I enable or disable these, then it does not matter? Can you confirm?
     
  10. Nzyme

    Nzyme Active Member

    Joined:
    May 3, 2017
    Messages:
    1,101
    @Boo Berry : Can you please confirm as to what is exactly limited in HTTP proxy mode?
     
  11. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    4,163
  12. Chinaski

    Chinaski Support Marine Staff Member Administrator Moderator

    Joined:
    Apr 15, 2019
    Messages:
    363
    Why is the firewall's function partial and the data stats not that accurate in proxy mode?
    There are many types of data traffic on the Internet: the Web, VoIP, Games, VPNs, UDP traffic (including DNS-requests) and so on. In the VPN mode, we control every packet of data that is coming from any app, but in the proxy mode, we control only a subset of the traffic. Therefore, we can not guarantee full connection disabling for particular apps and the numbers that you see in AdGuards statistics in proxy mode may be inaccurate.


    Then, the proxy mode is bad?
    Not at all. If you don't care so much about the statistics and the UDP traffic you can use it without hesitation.