Android based mobile phones and Sophos UTM

No problem with today's versions of Android: https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/45042/android-phone-ssl-traffic-filtering/161451#161451

That worked with one I have.

EDIT 2018-04-29: This did not work.  See below.

Cheers - Bob

Hi BAlfson,

thank you for this hint. This doesn't seem to work as expected:

1. The certificate isn't trusted by Google Chrome and Microsoft Edge because of the error "NET::ERR_CERT_AUTHORITY_INVALID". And Chrome shows that the cipher suite is old.
2. The android phone checks the WLAN connection for internet access. And it looks like it can't trust the proxy certificate when checking the internet connection and so the WLAN connection isn't working correctly. It looks like the mobile phone is calling https://www.google.com for checking the internet access. So you have to make an exception rule for SSL interception for this URL.
3. Google Play Store isn't working any more. What are the exceptions for it to get it working?
4. Google Maps isn't working.
5. ...

It looks like all the Google apps can't use the certificate. So there are a lot of exceptions needed. Is there a documentation for this from Sophos available?

Hi all,

I tried with a new proxy certificate but this doesn't change the behavior of not trusting the certificate. Maybe this is because of saving the certificate in the user and not in the trusted certificate store on the Android device.

With some further investigations I found out that there are some more proxy exceptions needed for the Google Services (Play, Maps etc.). I configured these exceptions for not doing SSL related checks:

But I don't get all content: In YouTube the preview pictures aren't visible. The same is for Play Store. For some apps I see the icons for others not. I didn't find out yet which URLs are accessed for showing all of the content. At the moment I only see one of the URLs above.

UPDATE: To import self signed certificates as trusted CA Android seems to need a special basic constraint extension. See https://stackoverflow.com/questions/37281958/how-to-trust-self-signed-certificate-on-android. Can you confirm this? And how do I add this to the existing proxy certificate?

I noted in my post above that this didn't work for me.  For some reason, my tests from Chrome were going out over the LTE connection.  Sorry, I don't have time to play with this now.

Cheers - Bob

Hi The expert,

This special basic constraint extension is already present in the proxy ca certificate. Android 8 don't accept private root CAs. That's a big problem with all android 8 devices.

I've also not found a solution for this behavior.

Regards mod

Hi mod2402,

that's very interesting. But why is there a user section within the trusted CA certificate store on Android 8? Is this for future use? How can I check if this special basic constraint extension is already present in the proxy CA certificate?

So the only two options are

1. skipping transparent proxy for Android devices or
2. disabling the SSL related checks of the proxy for these devices?

That's not really good :-( I know that these devices don't have the security of a proxy when they are outside of my network. But I wan't to see the traffic when they are inside my network. When SSL inspection is disabled the most part of the traffic won't be visible.

So is there basically no way of filtering Andoid phones with Android 8 through UTM 9? No matter what I try, my android phone just gets right past all filters. Even when my desktop browsers complain about untrusted certificates the android phone isn't filtered at all.

Did you try the link above in the post where I said it works on mine?  Show a line from the Web Filtering log where your phone was able to reach something where it should have been blocked.

Cheers - Bob

Ok found it. I had the device listed under "Skip Transparent Mode". Fixed now. Thanks.

Ok found it. I had the device listed under "Skip Transparent Mode". Fixed now. Thanks.