Hello there!
I'm currently assigned to assess the security of a new mobile application, and I'm mainly interested in sniffing the communication between the app and the server.
However, I noticed that the developers have implemented certificate pinning, which means that the app will refuse to submit login credentials unless the obtained certificate really belongs to a certain server. So I've been trying to disable that function in order to intercept the submitted requested using Burp Proxy.
What I did was basically decompiling the APK file using "APK Studio" and "Java Decompiler" in order to modify a couple of classes that appear to be responsible for validating the obtained certificate ("TrustManager" and "PubKeyManager") but have so far failed with all my attempts.
So I'm attaching the .apk file to check if anyone of you is willing to help by having a look at the code and advise me what really needs to be modified in order to disable certificate pinning.
Thanks in advance for any help you might be able to provide!! :o
I'm currently assigned to assess the security of a new mobile application, and I'm mainly interested in sniffing the communication between the app and the server.
However, I noticed that the developers have implemented certificate pinning, which means that the app will refuse to submit login credentials unless the obtained certificate really belongs to a certain server. So I've been trying to disable that function in order to intercept the submitted requested using Burp Proxy.
What I did was basically decompiling the APK file using "APK Studio" and "Java Decompiler" in order to modify a couple of classes that appear to be responsible for validating the obtained certificate ("TrustManager" and "PubKeyManager") but have so far failed with all my attempts.
So I'm attaching the .apk file to check if anyone of you is willing to help by having a look at the code and advise me what really needs to be modified in order to disable certificate pinning.
Thanks in advance for any help you might be able to provide!! :o
Aucun commentaire:
Enregistrer un commentaire