When using burp as a proxy, either we totally won’t be able to see any traffic going pass through it or only the first HTTP request could be intercepted.There are several ways to guess and check if the mobile application has SSL pinning in place or not: How to check whether SSL pinning is implemented? There are also 2 ways how to pin the host, which you can find here as we won’t discuss it in this article. Simply put, these SSL certificates or public key will be “pinned” to the host, in this case the APK file. Unlike web application version which is easier to intercept its HTTP request on SSL traffic via MiTM attack or proxy, mobile application is quite challenging since it has its own mechanism to protect and secure its front-end (known as APK for android platform) from this kind of attack.Īs per OWASP said, SSL Pinning can be defined as process of associating a host with the expected X509 certificate or public key. *This is purely for sharing and any risks or impacts from it, is not author responsibility What is SSL Pinning? Before we start to bypass SSL pinning, we may know what SSL Pinning is.
In this article, we will peel off only for mobile application from its security perspective especially for SSL Pinning section, since this part is one of the most important part for any pentesters before continuing in “breaking things”. There are two version of applications which are mostly known by users, so called web application and mobile application. In this digital era, most of the companies will run their business through the application in order to serve their customers.
0 kommentar(er)
