Disabling certificate pinning topic

Hello there!

I'm currently assigned to assess the security of a new mobile application, and I'm mainly interested in sniffing the communication between the app and the server.
However, I noticed that the developers have implemented certificate pinning, which means that the app will refuse to submit login credentials unless the obtained certificate really belongs to a certain server. So I've been trying to disable that function in order to intercept the submitted requested using Burp Proxy.

What I did was basically decompiling the APK file using "APK Studio" and "Java Decompiler" in order to modify a couple of classes that appear to be responsible for validating the obtained certificate ("TrustManager" and "PubKeyManager") but have so far failed with all my attempts.

So I'm attaching the .apk file to check if anyone of you is willing to help by having a look at the code and advise me what really needs to be modified in order to disable certificate pinning.

Thanks in advance for any help you might be able to provide!! :o

Attached Files

NEWAPP.rar - [Click for QR Code] (2.46 MB)

[Q] How to import self signed ssl certificate topic

I'm trying to build my own cloud server, namely owncloud... It works with plain http, but I want to convert it to ssl before going to "production" use... One of the problems is that I want to import a self signed certificate to my phone, without it complaining about "third party might be..." and without the complaint being visible all the time at status bar...

How do I import a self signed certificate to the phone? And get it to show in trusted credentials without the complaint? Other than the obvious settings -> security -> install from device memory/sd card. That is what I have tried so many times and this leads to the complaint I mentioned above.

Thanks!