Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps.

Take a popular shopping app “X” for example, If “X” does not meet the requirement of  “Certificate Pinning”,  we could definitely use proxy tool like Burp Suite to intercept any confidential between mobile device and servers.

1. Run Burp Suite on my laptop and my laptop becomes a proxy server. (Don’t foreget to change policy of firewall to allow connection to its proxy server listening port.)
2. Download Certificate from Burp Suite and install this cert file into my mobile phone.
3. Setup the proxy server ip and port in my mobile phone’s wifi settings.(Of course the ip is my laptop’s ip; the port number is the listening port of proxy server on my laptop)
4. Make sure Burp suite is ready to intercept packets.

Now we could run this app “X” and start to login. Let’s see what data Burp could intercept. To my surprise “nothing” found in intercept tab.

The “Alert” tab turns orange means something happens. It looks like “X” could meet the requirement of certificate pinning.

Don’t jump to conclusions too soon. Let’s take a look at account registry. Input some data such as ID, username , password, phone number, e-mail and click “Submit”.  Guess what? Those confidential data being intercepted by Burp suite.

“X” still need to do certificate pinning to avoid the risk of MITM. Now my friends know how to verify certificate pinning by using proxy.

How to verify Certificate Pinning?的更多相关文章

1. 008_ssl Certificate Pinning

   证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书, ...

2. 证书锁定Certificate Pinning技术

   证书锁定Certificate Pinning技术   在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证 ...

3. Mobile game analysis

   Let's take a look at a very popular mobile game "Garena 传说对决" . It would be very interesti ...

4. Mobile game forensics

   My friend Carrie'd like to know "Garena 传说对决" violates any mobile risks such as insecure d ...

5. About certificate

   证书spec, X509, 类似规定了一个目录结构.其中重要内容包括 issuer: who isued this certificate subject: the ID of this certif ...

6. 证书锁定SSL/TLS Pinning

   前言 APP端抓包中, 设置抓包代理后会发现部分APP(如app store.Facebook)直接无法访问,其他部分app又功能正常,为什么呢?这涉及 ssl-pinning,证书锁定. 证书锁定( ...

7. IP, TCP, and HTTP--reference

   IP, TCP, and HTTP Issue #10 Syncing Data, March 2014 By Daniel Eggert When an app communicates with ...

8. Android 1.5-7.0（持续更新）安全机制一览

   Android 1.5 ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary ...

9. OkHttp 官方Wiki【设计思想】

   官方Wiki之Calls 原文位置:https://github.com/square/okhttp/wiki/Calls The HTTP client's job is to accept you ...

随机推荐

1. linux 常用命令学习记录

   rm -f *.sh 2.grep -rn "enng" * 查找文件内容包含enng的文件(注意:文件名有xian的不会查询出) find . ! -name "*.s ...

2. 【POJ 2774】Long Long Message 最长公共子串

   还是模板啊,手残&&打成||查错查了1h+TAT #include<cstdio> #include<cstring> #include<algorith ...

3. mysql 去除空格

   update nm_user set nickname=TRIM(Replace(Replace(Replace(nickname,'\t',''),'\n',''),'\r',''))

4. zendstudio添加注释快捷键

   最常用的是ctrl+/来添加行注释 方法是选中代码,按ctrl+/就可以注释掉代码.再按ctrl+/可以去掉注释 添加块注释时,现加/,再加*,再按enter即可添加块注释.

5. Objective-C学习篇04—多态

   多态 多态的概念 有这样一个例子.早上我和同事说口渴了.结果:A同事拿着我的水杯去给我接了一杯水.B同事顺手在饮水机上拿了一次性纸杯给我接了杯水.C同事给了我一瓶他早上刚买的饮料.同事们得到的是同样的 ...

6. iOS开发中EXC&lowbar;BAD&lowbar;ACCESS的另类原因

   今天偶然学习iOS开发的时候碰到一个EXC_BAD_ACCESS的异常,经查资料得到的解释是由于访问了已经被回收了堆内存对象导致的,参考: http://code.tutsplus.com/tutor ...

7. 获取某月第一天，最后一天的sql server脚本

   本文来自:http://blog.csdn.net/chaoowang/article/details/9167969 这是计算一个月第一天的SQL 脚本:   SELECT DATEADD(mm, ...

8. poj2942&lpar;双联通分量，交叉染色判二分图&rpar;

   题意:一些骑士,他们有些人之间有矛盾,现在要求选出一些骑士围成一圈,圈要满足如下条件:1.人数大于1.2.总人数为奇数.3.有仇恨的骑士不能挨着坐.问有几个骑士不能和任何人形成任何的圆圈. 思路:首先 ...

9. JAVA课程课后作业03之动手动脑

   一.构造函数 问题一: 错误代码如图: 错误原因:从图片中的编译报错的地方来看,程序是在给新的对象分配空间是出现了问题,因而我们往下观察Foo类,Foo类的构造方法是有一个参数的有参方法,而前面构造新 ...

10. jQuery中hover方法和toggle方法使用指南

    jQuery提供一些方法(如:toggle)将两种事件效果合并到一起,比如:mouseover.mouseout:keyup.keydown等 1.hover函数 hover(over,out)一个模 ...