I did some research and found out that some apps are able to drop the internet connection when they see certificate substitution. How do they do it? Are they checking the presence of user certificate or just comparing built-in certificate with the server one?
Hello,
You are probably thinking about Certificate Pinning. Those apps compare the “copy” of the server certificate they already have with the one the server is sending when the connection is established.
https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#Android
I used quotes around the word copy because certificate pinning can be implemented in several ways: the app can have a copy of the CA’s certificate, a copy of the server’s certificate, just an hash of those certificates, etc. In the OWASP’s example, the app has a copy of the CA’s certificate and, when a connection is established, the certificate sent by the server is validated against a set of trust anchors containing only that copy.
1 Like