Bypassing Certificate Pinning

Sun 18 August 2019 By Paulo Renato

Category: Android, Mobile App Development, MitM Attack, Certificate Pinning

In a previous article we saw how to protect the https communication channel between a mobile app and an API server with certificate pinning, and as promised at the end of that article we will now see how to bypass certificate pinning.

To demonstrate how to bypass certificate pinning we will use the same Currency Converter Demo mobile app that was used in the previous article.

In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates. This will allow us to bypass certificate pinning.

Read More

SECURING HTTPS WITH CERTIFICATE PINNING ON ANDROID

Wed 26 June 2019 By Paulo Renato

Category: Android, API, Mobile App Development, MitM Attack, Certificate Pinning

 

In a previous article we saw how we could steal an API key by performing a man in the middle (MitM) attack to intercept the https traffic between the mobile app and the API server. In this article we will learn how to mitigate this type of attack by using a technique known as certificate pinning.

In order to demonstrate how to use certificate pinning for protecting the https traffic between your mobile app and your API server, we will use the same Currency Converter Demo mobile app that I used in the previous article.

In this article we will learn what certificate pinning is, when to use it, how to implement it in an Android app, and how it can prevent a MitM attack.

Read More

Apple DeviceCheck and CriticalBlue Approov

Sat 27 April 2019 By David Stewart

Category: API Keys, Android, Mobile App Authentication, Repackaged Apps, Reverse Engineering, Threats, SafetyNet, DeviceCheck

Image credit

We are often asked by customers and prospects to compare our beloved Approov with Apple's DeviceCheck offering. Since DeviceCheck is intended to uniquely identify iOS phone instances then this is a reasonable question. However, DeviceCheck and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here.

Read More

Google SafetyNet and CriticalBlue Approov

Sat 27 April 2019 By David Stewart

Category: API Keys, Android, Mobile App Authentication, Repackaged Apps, Reverse Engineering, Threats, SafetyNet, DeviceCheck

Image credit

We are often asked by customers and prospects to compare our beloved Approov with Google's SafetyNet offering. Since SafetyNet is intended to identify genuine Android instances then this is a reasonable question. However, SafetyNet and Approov are designed to do quite different things and therefore we wrote a handy guide to help our customers appreciate when to employ each solution and why. You can download the guide from here.

Read More

Preventing Mobile App and API Abuse

Thu 21 March 2019 By Skip Hovsmith

Category: TLS, Android, iOS, Mobile App Authentication, OAuth2, API, Mobile App Development

 
Read More

How to Pin Mobile gRPC Channels

Mon 04 March 2019 By Skip Hovsmith

Category: TLS, Android, API, Mobile App Development, gRPC

Last-mile Security for gRPC-connected mobile APIs

Read More

Consider gRPC for Mobile APIs

Tue 05 February 2019 By Skip Hovsmith

Category: Android, API, Mobile App Development, gRPC

EVALUATING GRPC REQUEST-RESPONSE, AUTHENTICATION, AND STREAMING

gRPC is an open source remote procedure call (RPC) framework that runs across many different client and server platforms. It commonly uses protocol buffers (protobufs) to efficiently serialize structured data for communication, and it is used extensively in distributed and microservice-based systems.

Read More

STRENGTHEN TLS IN REACT NATIVE THROUGH CERTIFICATE PINNING

Tue 14 August 2018 By Skip Hovsmith

Category: Android, ReactNative

Beginning in July 2018 with the 68 release, Chrome began marking all sites not running HTTPS (TLS over HTTP) as “not secure”. TLS uses site certificates to establish a chain of trust and encrypt communication at the transport layer.

Read More

REACT NATIVE: BRIDGING AN ANDROID NATIVE MODULE FOR APP AUTHENTICATION

Wed 02 May 2018 By Skip Hovsmith

Category: Android, ReactNative

Photo by NGO TUNG on Unsplash

Read More

Page 1 of 1