Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps.

Take a popular shopping app “X” for example, If “X” does not meet the requirement of  “Certificate Pinning”,  we could definitely use proxy tool like Burp Suite to intercept any confidential between mobile device and servers.

  1. Run Burp Suite on my laptop and my laptop becomes a proxy server. (Don’t foreget to change policy of firewall to allow connection to its proxy server listening port.)
  2. Download Certificate from Burp Suite and install this cert file into my mobile phone.
  3. Setup the proxy server ip and port in my mobile phone’s wifi settings.(Of course the ip is my laptop’s ip; the port number is the listening port of proxy server on my laptop)
  4. Make sure Burp suite is ready to intercept packets.

Now we could run this app “X” and start to login. Let’s see what data Burp could intercept. To my surprise “nothing” found in intercept tab.

The “Alert” tab turns orange means something happens. It looks like “X” could meet the requirement of certificate pinning.

Don’t jump to conclusions too soon. Let’s take a look at account registry. Input some data such as ID, username , password, phone number, e-mail and click “Submit”.  Guess what? Those confidential data being intercepted by Burp suite.

“X” still need to do certificate pinning to avoid the risk of MITM. Now my friends know how to verify certificate pinning by using proxy.

How to verify Certificate Pinning?的更多相关文章

  1. 008_ssl Certificate Pinning

    证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书, ...

  2. 证书锁定Certificate Pinning技术

    证书锁定Certificate Pinning技术   在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证 ...

  3. Mobile game analysis

    Let's take a look at a very popular mobile game "Garena 传说对决" . It would be very interesti ...

  4. Mobile game forensics

    My friend Carrie'd like to know "Garena 传说对决" violates any mobile risks such as insecure d ...

  5. About certificate

    证书spec, X509, 类似规定了一个目录结构.其中重要内容包括 issuer: who isued this certificate subject: the ID of this certif ...

  6. 证书锁定SSL/TLS Pinning

    前言 APP端抓包中, 设置抓包代理后会发现部分APP(如app store.Facebook)直接无法访问,其他部分app又功能正常,为什么呢?这涉及 ssl-pinning,证书锁定. 证书锁定( ...

  7. IP, TCP, and HTTP--reference

    IP, TCP, and HTTP Issue #10 Syncing Data, March 2014 By Daniel Eggert When an app communicates with ...

  8. Android 1.5-7.0(持续更新)安全机制一览

    Android 1.5 ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary ...

  9. OkHttp 官方Wiki【设计思想】

    官方Wiki之Calls 原文位置:https://github.com/square/okhttp/wiki/Calls The HTTP client's job is to accept you ...

随机推荐

  1. BZOJ 1037: [ZJOI2008]生日聚会Party [序列DP]

    1037: [ZJOI2008]生日聚会Party Time Limit: 10 Sec  Memory Limit: 162 MBSubmit: 2249  Solved: 1337[Submit] ...

  2. Go基础之--排序和查找操作

    排序操作主要都在sort包中,导入就可以使用了import("sort") 常用的操作 sort.Ints:对整数进行排序sort.Strings:对字符串进行排序sort.Flo ...

  3. Orleans入门例子

    Orleans入门例子 这是Orleans系列文章中的一篇.首篇文章在此  一.铺垫. 虽然是个入门例子,还是需要一些铺垫. Orleans的最小完全体,应该分为2个部分.一个是Orleans客户端, ...

  4. mysql 军规 (转载)

    导语 来自一线的实战经验 每一条军规背后都是血淋淋教训 不要华丽,只要实用 若有一条让你受益,慰矣 主要针对数据库开发人员 总是在灾难发生后,才想起容灾的重要性 总是在吃过亏后,才记得曾经有人提醒过 ...

  5. 超级简便的容器化部署工具(使用 ASP.NET Core 演示)

    Docker 改变了我们部署网站的方式,从原先的手动编译打包上传,到现在的构建镜像然后推送部署,让我们在配置环境上所花费的时间大大减少了.不仅如此,通过一系列相关的工具配合,可以很轻松的实现 CI.C ...

  6. openvpn 客户端一键脚本安装

    #!/bin/bash dir=/etc/openvpn#file=AD00012basepath=$(cd `dirname $0`; pwd)PACKAGE_DIR="${basepat ...

  7. 对html语义化的理解

    所有人都知道html即超文本标记语言或超文本链接标示语言,是目前网络上应用最为广泛的语言,也是构成网页文档的主要语言. html标签中的大部分都是由"语义化"标签所担任 那么,它有 ...

  8. 原创!!jquery简单tips和dialog

    <!------------------html代码-----------------------> <!DOCTYPE html><html><head&g ...

  9. 【ASP.NET Core】处理异常(下篇)

    上一篇中,老周给大伙伴们扯了有关 ASP.NET Core 中异常处理的简单方法.按照老周的优良作风,我们应该顺着这个思路继续挖掘. 本文老周就不自量力地介绍一下如何使用 MVC Filter 来处理 ...

  10. java1 - 环境与简介

    一.阅读 JAVA历史 回答以下问题: JDK 是什么? JRE 是什么? java 有那三大平台? java 开发工具有那些? java 可以在那些系统上面做开发? java 工程师可以做什么? 二 ...