Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps.

Take a popular shopping app “X” for example, If “X” does not meet the requirement of  “Certificate Pinning”,  we could definitely use proxy tool like Burp Suite to intercept any confidential between mobile device and servers.

  1. Run Burp Suite on my laptop and my laptop becomes a proxy server. (Don’t foreget to change policy of firewall to allow connection to its proxy server listening port.)
  2. Download Certificate from Burp Suite and install this cert file into my mobile phone.
  3. Setup the proxy server ip and port in my mobile phone’s wifi settings.(Of course the ip is my laptop’s ip; the port number is the listening port of proxy server on my laptop)
  4. Make sure Burp suite is ready to intercept packets.

Now we could run this app “X” and start to login. Let’s see what data Burp could intercept. To my surprise “nothing” found in intercept tab.

The “Alert” tab turns orange means something happens. It looks like “X” could meet the requirement of certificate pinning.

Don’t jump to conclusions too soon. Let’s take a look at account registry. Input some data such as ID, username , password, phone number, e-mail and click “Submit”.  Guess what? Those confidential data being intercepted by Burp suite.

“X” still need to do certificate pinning to avoid the risk of MITM. Now my friends know how to verify certificate pinning by using proxy.

How to verify Certificate Pinning?的更多相关文章

  1. 008_ssl Certificate Pinning

    证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书, ...

  2. 证书锁定Certificate Pinning技术

    证书锁定Certificate Pinning技术   在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证 ...

  3. Mobile game analysis

    Let's take a look at a very popular mobile game "Garena 传说对决" . It would be very interesti ...

  4. Mobile game forensics

    My friend Carrie'd like to know "Garena 传说对决" violates any mobile risks such as insecure d ...

  5. About certificate

    证书spec, X509, 类似规定了一个目录结构.其中重要内容包括 issuer: who isued this certificate subject: the ID of this certif ...

  6. 证书锁定SSL/TLS Pinning

    前言 APP端抓包中, 设置抓包代理后会发现部分APP(如app store.Facebook)直接无法访问,其他部分app又功能正常,为什么呢?这涉及 ssl-pinning,证书锁定. 证书锁定( ...

  7. IP, TCP, and HTTP--reference

    IP, TCP, and HTTP Issue #10 Syncing Data, March 2014 By Daniel Eggert When an app communicates with ...

  8. Android 1.5-7.0(持续更新)安全机制一览

    Android 1.5 ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary ...

  9. OkHttp 官方Wiki【设计思想】

    官方Wiki之Calls 原文位置:https://github.com/square/okhttp/wiki/Calls The HTTP client's job is to accept you ...

随机推荐

  1. 51Nod 欢乐手速场1 B 序列变换[容斥原理 莫比乌斯函数]

    序列变换 alpq654321 (命题人)   基准时间限制:1 秒 空间限制:131072 KB 分值: 40 lyk有两序列a和b. lyk想知道存在多少对x,y,满足以下两个条件. 1:gcd( ...

  2. DNA序列组装(贪婪算法)

    生物信息学原理作业第四弹:DNA序列组装(贪婪算法) 原理:生物信息学(孙啸) 大致思想: 1. 找到权值最大的边: 2. 除去以最大权值边的起始顶点为起始顶点的边: 3. 除去以最大权值边为终点为终 ...

  3. C#查询XML解决“需要命名空间管理器”问题

    在查询xml时有时会遇到带有前缀的xml,例如:"<ows:Keyword></ows:Keyword>" 这时像往常一样查询就会报错,类似于"需 ...

  4. nginx隐藏版本号

    在实际运用nginx中我们最好将我们的版本号直接隐藏,因为有些版本号的nginx被爆出了漏洞,所以我们为了安全起见,最好将我们的版本号隐藏. 1.对于未安装的nginx我们使用源码编译安装才可以将版本 ...

  5. "abc123 ,def456",反转字母,其他位置不变

    "abc123 ,def456",反转字母,其他位置不变. 无意间看到个有意思的面试题,忽然来了兴趣想着来做一下. 操作字符串用正则的效率比较高,但第一反应还是用原生来操作.下面说 ...

  6. 响应式框架Bootstrap

    概念:Bootstrap将会根据你的屏幕的大小来调整HTML元素的大小 -- 强调 响应式设计的概念. 通过响应式设计,你无需再为你的网站设计一个手机版的.它在任何尺寸的屏幕上看起来都会不错. Boo ...

  7. 百度编辑器Ueditor增加字体的修改方法

    http://www.jb51.net/article/109896.htm Ueditor本身自带11种字体  使用过程中这11种字体往往不能满足我们的需求,现在我要添加"仿宋" ...

  8. ios开发常用RGB色值

    iOS中RGB常用的色值,同时可将对颜色的设置定义成宏,方便开发应用,如: // RGB颜色转换(16进制->10进制) #define UIColorFromRGB(rgbValue) [UI ...

  9. MySQL对sum()字段 进行条件筛选,使用having,不能用where

    显示每个地区的总人口数和总面积.仅显示那些面积超过1000000的地区. SELECT region, SUM(population), SUM(area) FROM bbc GROUP BY reg ...

  10. 同步博客—CSDN推广

    niiickのCSDN 用CSDN也有几个月了 其实一开始有人让我转到博客园我是拒绝的 (毕竟强迫症接受不了一边博客只有一半= =) 不过最近有幸观赏了某位dalao的博客园 发现没有广告好棒!!!设 ...