Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps.

Take a popular shopping app “X” for example, If “X” does not meet the requirement of  “Certificate Pinning”,  we could definitely use proxy tool like Burp Suite to intercept any confidential between mobile device and servers.

  1. Run Burp Suite on my laptop and my laptop becomes a proxy server. (Don’t foreget to change policy of firewall to allow connection to its proxy server listening port.)
  2. Download Certificate from Burp Suite and install this cert file into my mobile phone.
  3. Setup the proxy server ip and port in my mobile phone’s wifi settings.(Of course the ip is my laptop’s ip; the port number is the listening port of proxy server on my laptop)
  4. Make sure Burp suite is ready to intercept packets.

Now we could run this app “X” and start to login. Let’s see what data Burp could intercept. To my surprise “nothing” found in intercept tab.

The “Alert” tab turns orange means something happens. It looks like “X” could meet the requirement of certificate pinning.

Don’t jump to conclusions too soon. Let’s take a look at account registry. Input some data such as ID, username , password, phone number, e-mail and click “Submit”.  Guess what? Those confidential data being intercepted by Burp suite.

“X” still need to do certificate pinning to avoid the risk of MITM. Now my friends know how to verify certificate pinning by using proxy.

How to verify Certificate Pinning?的更多相关文章

  1. 008_ssl Certificate Pinning

    证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书, ...

  2. 证书锁定Certificate Pinning技术

    证书锁定Certificate Pinning技术   在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证 ...

  3. Mobile game analysis

    Let's take a look at a very popular mobile game "Garena 传说对决" . It would be very interesti ...

  4. Mobile game forensics

    My friend Carrie'd like to know "Garena 传说对决" violates any mobile risks such as insecure d ...

  5. About certificate

    证书spec, X509, 类似规定了一个目录结构.其中重要内容包括 issuer: who isued this certificate subject: the ID of this certif ...

  6. 证书锁定SSL/TLS Pinning

    前言 APP端抓包中, 设置抓包代理后会发现部分APP(如app store.Facebook)直接无法访问,其他部分app又功能正常,为什么呢?这涉及 ssl-pinning,证书锁定. 证书锁定( ...

  7. IP, TCP, and HTTP--reference

    IP, TCP, and HTTP Issue #10 Syncing Data, March 2014 By Daniel Eggert When an app communicates with ...

  8. Android 1.5-7.0(持续更新)安全机制一览

    Android 1.5 ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary ...

  9. OkHttp 官方Wiki【设计思想】

    官方Wiki之Calls 原文位置:https://github.com/square/okhttp/wiki/Calls The HTTP client's job is to accept you ...

随机推荐

  1. 浅谈JavaScript的事件(事件类型)

    Web浏览器能够发生的事件有很多种类型,不同的事件类型有不同的事件信息.DOM3级的事件类型主要包括:UI事件,用户与页面上的元素交互时触发:焦点事件,元素获得或失去焦点触发:鼠标事件,用户通过鼠标在 ...

  2. [实例]JAVA生成字母+随机数字并生成文件

    package com.ishow.control.code; import java.io.*; import java.text.SimpleDateFormat; import java.uti ...

  3. linux打印彩色字

    echo显示带颜色,需要使用参数-e格式如下:echo -e "\033[字背景颜色;文字颜色m字符串\033[0m"例如: echo -e "\033[41;37m T ...

  4. MySQL数据库基础

    MySQL数据库基础 本文的所有操作是基于CMD环境,MySQL通过在命令行中输入SQL语句对数据库进行操作.配置问题可参考<打通MySQL的操作权限>中的内容,该文算是针对前期的环境配置 ...

  5. 阿里云 virtual memory exhausted: 无法分配内存

    在阿里云买了个云服务器,内存1G.编译php时出现下面的错误: virtual memory exhausted: Cannot allocate memory 问题原因:由于物理内存本身很小,且阿里 ...

  6. CentOS安装JDK 8

    准备工作 首先,更新包: yum update 检查服务器上是否已安装旧版本的Java: java -version 如果有旧版本的Java则移除: yum remove java-1.6.0-ope ...

  7. php用正则匹配出图片img标签中的src路径(兼容)

    用php抓图片是个常用的需求,下面提供一个比较兼容的正则表达式来实现php抓取出页面.字符串中所有图片的src. 下面是一个范例,能匹配各种标签格式写法的图片,不管src在什么地方,还是单引号.双引号 ...

  8. linux服务器ssh、公匙和密钥实战详解

    一..我们先建好一上haiwen用户用来,做为密码钥和SSH对像 二.修改vi /etc/ssh/sshd_config 文件,禁用ROOT远程直接登录. 三.ssh的公钥认证配置,只能用密匙才能登录 ...

  9. php实现的短网址算法分享

    这篇文章主要介绍了php实现的短网址算法,理论上支持1,073,741,824个短网址,个人使用足够了,需要的朋友可以参考下 每个网址用6个字符代替,(6^32) 最多可以拥有1,073,741,82 ...

  10. easyui验证扩展

    问题描述: 如上所示:当用户添加信息时,必须保证一个队伍一天只能有一条数据.所以在选择了报表日期的时候必须查询数据库里面当前队伍这一天的数据是否存在.如果不存在,即当前日期队伍没有数据,就可以进行数据 ...