Collaborate Disseminate
I´m pentesting my first mobile application. I have a rooted android device and followed the steps here and here to install the certificate to proxy the traffic through Burp on my Laptop.
But no requests show up. When I´m opening the app I … Continue reading Intercepting app with Burp shows no requests
I have certificate pinning implemented in my iOS and Android apps. But when apps were pen-tested, we got the report from the pentester saying SSL implementation is weak in both the apps and can be easily bypassed using an SSL by-pass tool…. Continue reading Can we prevent SSL Pinning Bypass by pinning key instead of certificate?
In a corporate context, mobile apps exist that require a user to enter the server address to connect to a specific instance of this vendor’s application.
The vendor sells software that it’s customers deploy on premise (or on a private clou… Continue reading Should certificate pinning be implemented if the app can use many servers?
I’m somewhat knowledgeable in the concept of Public Key Pinning (HPKP) and I see a potential attack where a server admin could pin a particular cert and thus demanding user’s browsers to only honour that particular certificate.
However, if… Continue reading Public Key Pinning Attack? [duplicate]
I have some questions about certificate pinning.
Supposing that a mobile application has pinned only the root CA, it should be possible to an attacker to redirect in some way the victim to a malicious website with the same Root CA. Am I wr… Continue reading If a mobile app pins the Root Authority Certificate of a server and verifies its hostname, is it possible an attack via DNS-poisoning?
I don’t know if this is the right forum for this kind of question.
I was trying to intercept traffic from Twitter for Android app and for that I needed to bypass the SSL pin they implemented. Basically I was following this tutorial
and I g… Continue reading Can’t log in into Twitter for Android app after SSL Bypass
My use case is the following: I want to create an app with React Native that I can deploy on both iOS and Android.
The app should consume an RSS feed (https call) from the server but there is no need to have authorization in place. The out… Continue reading Is certificate pinning enough to protect client (native mobile app) – server communication?
I’m looking for the "best practice" to use in Certificate Pinning or an Alternative.
Scenario: I have a native mobile app and I have pinned the certificate so that the app can validate against my server.
Problem: The problem c… Continue reading Certificate Pinning Best Practice or Alternative
Can the same public key be used with RSA, Elliptic Curve, or other asymmetric encryptions algorithms? If not, how is a public key bound to a X.509 Certificate? Presumably, you’d have to know the algorithmic choice before determine a public… Continue reading How can you bind a public key to a certificate if the public key depends on the choice of algorithms?
I am dealing with a unique scenario where I have a mobile app that is unable to be updated on the App Store and has implemented SSL pinning. The issue is that the app pins against Lets Encrypt, which now will be moving to new certificates … Continue reading How can I locate and purchase SSL certificates that contain a specific trust chain?