Draft Disclaimer: Please note that this article is currently in draft form and may undergo revisions before final publication. The content, including information, opinions, and recommendations, is subject to change and may not represent the final version. We appreciate your understanding and patience as we work to refine and improve the quality of this article. Your feedback is valuable in shaping the final release.
Language Mismatch Disclaimer: Please be aware that the language of this article may not match the language settings of your browser or device.
Do you want to read articles in English instead ?
SSL pinning to protect your apps from MITM attacks
- why ssl pinning
- In order to view and fuzz a mobile app’s web service calls, we need to use an intercepting proxy such as BurpSuite or ZAP. When intercepting SSL traffic using a proxy, the SSL connection from the client is terminated at the proxy
- By default, the self-signed certificate generated by tools such as Burp won’t have a valid trust chain,
- if the certificate can’t be verified as trusted, most mobile apps will terminate the connection instead of connecting over a potentially insecure channel
- protects your API too
- protects your http client
- how it works
- list of certificates embedded in app and compared on runtime
- there are ways around ssl pinning
- as always in sec ops but not your average attackers