Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps.

Take a popular shopping app “X” for example, If “X” does not meet the requirement of  “Certificate Pinning”,  we could definitely use proxy tool like Burp Suite to intercept any confidential between mobile device and servers.

  1. Run Burp Suite on my laptop and my laptop becomes a proxy server. (Don’t foreget to change policy of firewall to allow connection to its proxy server listening port.)
  2. Download Certificate from Burp Suite and install this cert file into my mobile phone.
  3. Setup the proxy server ip and port in my mobile phone’s wifi settings.(Of course the ip is my laptop’s ip; the port number is the listening port of proxy server on my laptop)
  4. Make sure Burp suite is ready to intercept packets.

Now we could run this app “X” and start to login. Let’s see what data Burp could intercept. To my surprise “nothing” found in intercept tab.

The “Alert” tab turns orange means something happens. It looks like “X” could meet the requirement of certificate pinning.

Don’t jump to conclusions too soon. Let’s take a look at account registry. Input some data such as ID, username , password, phone number, e-mail and click “Submit”.  Guess what? Those confidential data being intercepted by Burp suite.

“X” still need to do certificate pinning to avoid the risk of MITM. Now my friends know how to verify certificate pinning by using proxy.

How to verify Certificate Pinning?的更多相关文章

  1. 008_ssl Certificate Pinning

    证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书, ...

  2. 证书锁定Certificate Pinning技术

    证书锁定Certificate Pinning技术   在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证 ...

  3. Mobile game analysis

    Let's take a look at a very popular mobile game "Garena 传说对决" . It would be very interesti ...

  4. Mobile game forensics

    My friend Carrie'd like to know "Garena 传说对决" violates any mobile risks such as insecure d ...

  5. About certificate

    证书spec, X509, 类似规定了一个目录结构.其中重要内容包括 issuer: who isued this certificate subject: the ID of this certif ...

  6. 证书锁定SSL/TLS Pinning

    前言 APP端抓包中, 设置抓包代理后会发现部分APP(如app store.Facebook)直接无法访问,其他部分app又功能正常,为什么呢?这涉及 ssl-pinning,证书锁定. 证书锁定( ...

  7. IP, TCP, and HTTP--reference

    IP, TCP, and HTTP Issue #10 Syncing Data, March 2014 By Daniel Eggert When an app communicates with ...

  8. Android 1.5-7.0(持续更新)安全机制一览

    Android 1.5 ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary ...

  9. OkHttp 官方Wiki【设计思想】

    官方Wiki之Calls 原文位置:https://github.com/square/okhttp/wiki/Calls The HTTP client's job is to accept you ...

随机推荐

  1. zookeeper 内部机制学习

    zookeeper 内部机制学习 1. zk的设计目标 最终一致性:client不论连接到那个Server,展示给它的都是同一个视图. 可靠性:具有简单.健壮.良好的性能.如果消息m被到一台服务器接收 ...

  2. 一、scrapy的下载安装---Windows(安装软件太让我伤心了)

    写博客就和笔记一样真的很有用,你可以随时的翻阅.爬虫的爬虫原理与数据抓取.非结构化与结构化数据提取.动态HTML处理和简单的图像识别已经学完,就差整理博客了 开始学习scrapy了,所以重新建了个分类 ...

  3. 阿里云pai项目使用说明

    PAI项目创建方法 购买region 进入MaxCompute,购买相应region,目前机器学习只支持华东2(GPU公测免费)以及华北2(GPU计划收费),注意选择"按量后付费" ...

  4. Centos7新功能

    Centos7 单用户模式   centos7里不再有0-6启动级别,而是4个target   graphical.target  多人模式,支持图形和命令行两种登录,对应之前的3,5级别   mul ...

  5. 日均数据量千万级,MySQL、TiDB两种存储方案的落地对比

    http://mp.weixin.qq.com/s?__biz=MzIzNjUxMzk2NQ==&mid=2247484743&idx=1&sn=04337e020d268a9 ...

  6. Python基础总结

      刚学习Python时,边学边总结的,采用思维导图的形式, 适合回顾使用.内容参考<Python:从入门到实践>一书.   再给出一张Datacamp网站上的一张关于Python基础的总 ...

  7. centos/linux下的安装vsftpd

    1.简介: vsftpd 是“very secure FTP daemon”的缩写,安全性是它的一个最大的特点.vsftpd 是一个 UNIX 类操作系统上运行的服务器的名字,ftp服务器软件 2.安 ...

  8. TzObjectInspector 一例

    TzObjectInspector Github上的一个开源组件!可以做到类似Delphi IDE属性,事件面板的样式!作者持续更新中... 看起来是这个样子: 这个东西用起来并不像想象的那样可以直接 ...

  9. ch11 持有对象

    Java集合的基本类型:List.Set.Queue.Map 使用容器时若未指定泛型参数ArrayList apples=new ArrayList();,则容器中所有元素都为Object类型,使用时 ...

  10. Netbeans文件被误删怎么办?

    辛辛苦苦写的代码突然不见了,上午还是有的,哪去了?怎么办? 破解办法: 1,良好的版本管理工具(git||svn)使用习惯,代码每天上传更新,技术文件有丢失,也就一天的. 2,Netbeans提供的备 ...