All Questions
78 questions
1
vote
0
answers
473
views
Android Certificate Revocation Checking
I am hoping I can leverage everyone's knowledge on this one as I am at a lose.
I have an Android 10 Device connecting to a containerized web application that is secured by a custom Certificate ...
- 11
13
votes
1
answer
4k
views
SSL issue captures Facebook app send out traffic
I tried to capture the send-out traffic of the Android app (Google Drive, Facebook, etc.). This is my security thesis.
I succeed capture send-out traffic on the Google Drive app with Mitmproxy but ...
- 233
0
votes
1
answer
856
views
Can I bypass SSL pinning If I found the certificate hardcoded in the application
I found an x509 certificate hardcoded in an application and after looking into the code I found that is used to validate certificates(SSL pinning). Can I bypass SSL pinning with the certificate that I ...
2
votes
0
answers
467
views
Request to produce Android APK without 'certificate pinning'
Information Protection Officer at my work requested me to produce a version of our Android App (quote) "...without SSL pinning for our.backend.domain.name.com" for vulnerability scanning ...
- 131
1
vote
0
answers
239
views
Insufficient SSL certificate pinning in an native Android app
I have implemented Certificate Pinning in a prototype of an android app. Here are the steps I followed:
Converted .crt file to .bks file
Added the .bks file to the asset folder in project structure
...
- 11
1
vote
1
answer
374
views
Custom PKI for TLS in iOS vs. Android
The scenario
An app on iOS has to perform an HTTPS connection, validating the server's TLS certificate against a root CA of a custom PKI.
The target
Android seems to have best-practice procedures to ...
- 11
9
votes
3
answers
10k
views
Can we prevent SSL Pinning Bypass by pinning key instead of certificate?
I have certificate pinning implemented in my iOS and Android apps. But when apps were pen-tested, we got the report from the pentester saying SSL implementation is weak in both the apps and can be ...
- 201
0
votes
2
answers
1k
views
Prevent ssl pinning bypasses
I want to understand if end user is doing MITM attack on my app and i want my API server to receive this. Is there any way i can hook an SDK or some listener that tracks which certificate is being ...
- 41
2
votes
1
answer
380
views
How to protect certificates and keys in peer to peer application
I'm making a peer-to-peer cross-platform application (in Java & Kotlin), and I want to encrypt conversations between tens of users, concurrently.
However, due to lack of knowledge in security good ...
- 23
0
votes
0
answers
2k
views
Bypassing SSL pinning Using Frida issue
I am a penetration tester, and I was doing some SSL pinning bypass using Frida.
I have pushed all the required files and certificates, and burp is intercepting traffic from the Android Studio ...
2
votes
0
answers
896
views
BURP SSL connection failing on Genymotion Virtual Device - Android 8.0 API 26
Everything earlier used to work fine. However, recently I downloaded a newer virtual device on Genymotion, which is an Android 8.0 API 26. I have been struggling to get HTTPS traffic intercepted on ...
- 1,522
-1
votes
2
answers
4k
views
Trying to extract SSL client certificate from android app
I'm trying to find out a specific request from an android application to its API server. Using Burp Suite, I get a handshake failure alert. Using fiddler it asks me to provide a custom certificate.
...
- 135
9
votes
3
answers
9k
views
Certficate pinning: should I pin the leaf or intermediate?
I'm following this article : Android Security: SSL Pinning to implement certificate pinning in Android using OkHttp.
As our app clients do not update their app regulary I don't want to take the risk ...
- 215
3
votes
1
answer
450
views
Is it safe to transfer location data by using TLS?
Is it safe to transfer location data by using TLS with self-signed certificates?
I read a lot of varied discussions on the web which makes me to ask about the subject.
- 33
1
vote
2
answers
427
views
Use bidirectional SSL with CAC from phone
Is it possible to extract the certificate from a CAC (DOD common access card) and install it on a phone so that access to websites using bidirectional SSL can be done from a user phone. Ideally, the ...
- 111
0
votes
0
answers
1k
views
SSL handshake: Client Hello and Server Hello
I am trying to understand how a client communicates with a server when using a proxy. The client is an Android device, whom the traffic is proxied to the server through mitmproxy.
This is my topology:...
- 121
7
votes
2
answers
2k
views
Outlook for Android uses intermediate Microsoft Servers
I have an IMAP + SMTP server running on linux, using Dovecot + Postfix.
The server only accepts connections over TLS and uses plaintext authentication once the tunnel is established.
I was auditing ...
user97661
-1
votes
1
answer
191
views
tls custom system trusted certificate on android6 not working [closed]
I encounter the same problem as the user has in this post:
Why does Samsung Android browser say our site has a valid certificate, but the site identity has not been verified?
The accepted answer is:
...
1
vote
1
answer
821
views
HTTPS MITM Proxy breaks HTTPS
I tried to reverse engineer an Android APP using MITMProxy,
and the Server responds with an unauthenticated-error.
If the whole authentication would be using headers (Basic, etc...), the Proxy should ...
- 33
2
votes
1
answer
4k
views
HSTS for android apps?
Websites such as Facebook visited on browsers have the HSTS capability which is one more layer of security for TLS from some attacks.
What about, in particular, the Facebook android app?
Does it ...
- 21
3
votes
2
answers
2k
views
Installing own certificate for HTTPS sniffing?
This is something I heard before but cannot remember how to do, I am looking for a tutorial or alike.
I have an Android application I need to audit. I need to check if any cookies are being ...
- 713
1
vote
2
answers
1k
views
Android application interception issue
I'm a newbie to android pen testing and started off with an application.
The app uses HTTPS and works fine without configuring any proxy.
When a proxy like a burp suite is configured, the app ...
1
vote
0
answers
551
views
Help with breaking SSL pinning of this app [closed]
I need help removing SSL pinning of this original Android app. I've tried different techniques like hooking the app with Objection, re-pinning with Frida, using the SSLUnpinning app from the Xposed ...
- 21
1
vote
1
answer
1k
views
Setup a Proxy with a Cordova / Ionic Android App (aka Open Source version of PhoneGap )
We're doing a security assessment on a Cordova / Ionic Mobile Application (APK & IPA). Even though we've imported our proxies Certificate Authority to the device and we can intercept SSL in the ...
- 123
1
vote
1
answer
569
views
Certificate Pinning with CDN
I'm currently designing the security controls of an Android Application and willing to have Certificate Pinning. I'm familiar with the concept and have seen various implementations in the past, yet ...
- 13
2
votes
1
answer
347
views
Can you just replace the TLS cert in a pinned application?
Say there is an Android APK. You want to sniff the traffic to the private API. So you decompile it, find the cert, then replace it with fiddler's or burp's or charles proxy's, recompile it then run it,...
- 121
1
vote
0
answers
779
views
Bypassing Certificate/SSL Pinning using AppMon
I'm trying to reverse engineer an app that has Native layer certificate pinning, I can't go that deep in to patching so I've been looking in to other available options, one i came accross was appmon, ...
- 11
0
votes
1
answer
1k
views
Android pinning SSL handshake Exception after SSL renewal of website
i've an android app with ssl pinned it was working fine but after i've renewed the SSL now its throwing exception
javax.net.ssl.SSLHandshakeException:
java.security.cert....
- 103
4
votes
3
answers
16k
views
How do you find SSL Keys on Android (to decrypt SSL on WireShark)?
I'm using an Android Emulator on my PC, then logging into some apps (while running WireShark), and now I'm trying to figure out how to decrypt the SSL traffic.
I understand that I need to find some ...
- 51
2
votes
1
answer
4k
views
Burp with whatsapp
While doing some pentesting on an android app with Burp setup as a proxy (with https) I saw no traffic coming from whatsapp messages that I received or send.
I looked around in Burp, but I cannot ...
- 929
0
votes
1
answer
1k
views
Nogotofail usage android pentesting
I was looking at the google tool: Nogotofail https://github.com/google/nogotofail
I used their examples to set it up and this works for the examples with proxychains.
But now I want to use it with ...
- 929
-2
votes
1
answer
722
views
Alternatives to SSL/TSL for Android and iOS
When securing a website SSL/TSL is the only way, because browsers need to support it.
However, when creating a native application that needs to communicate with a remote server, this does not seem to ...
- 97
3
votes
1
answer
1k
views
Self signed SSL certificate in multiple devices - Is this secure enough?
We are trying to design a solution where we have several Smart devices and we can control every smart device from multiple phones. We will generate a Self-signed SSL Server Certificate and embed that ...
- 143
0
votes
1
answer
344
views
Regarding SSL Pinning implementation
I have doubt. For android application security which SSL pinning method is good?
Deploying HTTP Public key pinning
Deploying certificate validation using *.bks format along with hostname verifier.
...
- 329
1
vote
1
answer
2k
views
Why does Samsung Android browser say our site has a valid certificate, but the site identity has not been verified?
Our website using Let's Encrypt through Nginx is all green on SSLLabs test (A- score).
But on one Android phone it accepts the certificate and sees the trust chain up to the root certifying authority,...
- 507
1
vote
1
answer
1k
views
Is it possible to implement secure ssl pinning implementation for without server side validation?
It is known fact that in android there are couple of tools which can bypass ssl pinning such as Justtrustme, Android-SSL-TrustKiller. In iOS there are ios-SSL-Killswitch.
I had 3 options to implement ...
- 329
1
vote
1
answer
196
views
Is it possible to lock down the http / https proxy settings on an Android phone?
Is there any way to lock down the proxy settings on an Android Phone so that they can't be changed by anyone but the person with the password?
- 1,471
0
votes
1
answer
511
views
Vicious circle with certificates - how to trust the server cert?
I have a java app on Android that needs to be able to communicate with a web server over ssl using an client x509 certificate (for encryption negotiation) - the private key is in the java keystore ...
- 161
1
vote
1
answer
4k
views
TLS interception on an Android phone
Here are the steps I've been through until I hit a problem.
I have a website that runs on an HTTPS protocol serving the Android application
I generally debug requests / responses via Wireshark ...
- 11
2
votes
0
answers
69
views
How can I ensure that phone app traffic is using HTTPS? [duplicate]
When I access a website, I know just by looking at the URL whether it's HTTPS or HTTP.
If I'm using an app on my phone, I cannot see this. So if say the app wants me to enter a password in to create ...
- 1,590
2
votes
3
answers
942
views
SSL Certificate in my hosting makes me change my java code?
Sorry for my stupid question. But I really want to know what is gonna happen..
I have a webservice hosted over the http protocol.
I wanna buy an SSL certificate to have my webservice hosting with ...
6
votes
1
answer
792
views
How To Bypass SSL pinning In SPDY protocol?
I have been trying for almost a month to intercept the traffic of an android app the uses SSL pinning. I used Android-SSL-TrustKiller and SSLUnpinning but it did not work.I also decompiled the app and ...
- 61
6
votes
2
answers
2k
views
SSL: Android may not verify hostname, defining cipher suites
I'm developing an Android App which sends some HTTPS requests to our own Webserver (Linux, Nginx, SSL zertificate from "Let's Encrypt").
The requests worked fine on my test devices (Android 4.2.2 &...
- 61
2
votes
1
answer
285
views
What was the first version of Android to use OpenSSL (and what version was it)? What was used prior?
Android 1.6 source is the earliest I can find that references openssl
(i.e., has OPENSSL_VERSION[_TEXT] defined
The script I ran to get these versions was:
$ git clone https://android.googlesource....
- 207
0
votes
3
answers
186
views
Can the user of an app see what's in the https packets?
If I exchange https packets between a server and an Android client, is it easy for the user of the client to get whatever is in the encrypted traffic? Should I consider all such traffic unsafe if the ...
1
vote
3
answers
2k
views
Storing API tokens safely on Android to identify developer
We're building an Android library for our Rest APIs that app developers will access with a unique token. Since it's a paid service, and it's a per-request or per-install pricing model, how do we ...
- 113
3
votes
1
answer
555
views
Can an Android malware install a SSL/TLS certificate into non-root devices?
Does there exist some standard API that allow an Android malware to download and install a SSL/TLS certificate as RCA, in the default keystore, in non-root devices?
I think that this is a very ...
- 133
0
votes
0
answers
143
views
How can I protect a mobile application from LogJam?
I develop a two-factor authentication app on iOS and Android and I recently noticed that they run perfectly fine against a local dev server that is vulnerable to LogJam. Is there any way to secure ...
- 2,358
1
vote
1
answer
211
views
How is the username and password captured on this mobile device?
I have a Motorola phone, and I am concerned about my privacy after reading this article : http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html
The poster says:
For both of these ...
- 171
3
votes
1
answer
4k
views
SSL traffic manipulation through ettercap MitM and iptables
I am trying to understand the relation between some tools and concepts used for MitM on a wifi network and how https transaction (over this wifi network) between an android app and the respective ...
- 1,522