HTTPS Sniffing on Android (Certificate Pinning)


#1

Hi,

So i have this app that on login uses certificate pinning (i dont see the data at all), right now i have mitmproxy certificate installed from mitm.it how do i define custom certificate in android? also how can i actually bypass certificate pinning? do i need to download the real certificate of host for it to work?

Thanks!


#2

Hi,
If an app uses certificate pinning you need to manually patch the app (decompile and add the certificate) or you need to root your android device.
http://docs.mitmproxy.org/en/stable/certinstall.html#certificate-pinning


Some traffic isn't shown in mitmproxy
#4

if the device is rooted it is enough? I am using a rooted device and still have the problem. can you specify what should be done?


#5

also, it the pinned domain is not of the app itself, but of a domain the app tries to connect to, is there anything to do?


#6

Hi
I was searching for something similar to your question please see the link below for help