Essentially it means the app compares the public key of the CAĬertificate from the server against a “pinned” public key that comesīundled with the app. However, some apps take an additional security measure called SSL certificate HTTPS proxy is installed as a trusted source, the app won’t care that the SSLĬertificate offered by the server is rogue. So as long as we make sure the CA certificate of the It does only when its local certificate store has a Certificate Authority (CA)Ĭertificate that matches the one in the chain of the certificate generated by This technique works only if the app accepts the SSL connection, which typically TLS, so the proxy server needs to spoof a SSL certificate. Typically all traffic nowadays is sent over Use an HTTPS proxy server to intercept traffic from an application to a server Ī man-in-the-middle (MITM) attack.
To discover and trace (undocumented) APIs on the Internet, a common method is to
