Collaborate Disseminate
I have an iOS app with certificate pinning to two different servers.
I want to test this certificate pinning with a MITM attack, so I did:
Set proxy at my PC, in macos wifi settings -> advanced -> proxies -> enabled http/https proxy.
In… Continue reading Is it possible for OWASP ZAP to pass-through some requests without intercepting them, as if there were no proxy?
I’m trying to find out a specific request from an android application to its API server. Using Burp Suite, I get a handshake failure alert. Using fiddler it asks me to provide a custom certificate.
Now I have used apktool to de-compile … Continue reading Trying to extract SSL client certificate from android app
Talking with people, it is frequently considered that having a mobile application without certificate pinning is a vulnerability. But I rarely see people mentioning it for web applications.
The question is, why is this issue only mentioned… Continue reading Higher risk of no certificate pinning on mobile apps vs web apps?
An Android application that has SSL Pinning was successfully tested on a mobile device running Android 6 (with the certificates installed) using Burp proxy and OWASP ZAP Proxy. As expected the application refused connections when using eit… Continue reading Charles Proxy intercepting SSL Pinning enabled traffic
I’m following this article : Android Security: SSL Pinning to implement certificate pinning in Android using OkHttp.
As our app clients do not update their app regulary I don’t want to take the risk by using our server certification (Leaf… Continue reading Certficate pinning: should I pin the leaf or intermediate?
What is pinning nd how pinning is done
How many types of pinning is ther
And how can we do pinning in an application
I have seen multiple mobile applications that are pinning Global Root CA’s instead of intermediate/leaf certificates. Doesn’t this expose to the same risk as not having certificate pinning at all?
Considering the classic cof… Continue reading Is pinning global root CA almost same as not having any certificate pinning at all?
I am building a React Native application that downloads an SSL certificate file or a PFX from the server or a remote file storage. After getting this file, I want to install this certificate onto the device so that only my ap… Continue reading Install a PFX/SSL certificate downloaded from the server on Android/iOS device in a React Native app? [on hold]
So I have been reading about SSL pinning in context of a requirement where we have to interact with a web service operated by a partner of ours. We have an Android App and we would be making network calls to their service in … Continue reading A query about SSL pinning
To prevent MITM from my app I will use cert pinning.
To prevent having not approved parties communicate to my server I can use Mutal TLS, which actually accepting communication from trusted sources.
Am I am missing somethi… Continue reading Mutual TLS and Cert Pinning solving the same problem?