Hacker News new | past | comments | ask | show | jobs | submit login

one of the best tools for reverse engineering mobile apps. I'm just having problems when certificate pinning is enabled. Does anyone have an idea (or even a solution) how to deal with that?



Even without certificate pinning, starting with Android 7, you must decompile the app to allow user provided certificates. Or use an xposed module if you have a rooted device.

See this mitmproxy bug: https://github.com/mitmproxy/mitmproxy/issues/2054

And this tool is nice to automate decompiling, adding the line in the manifest to be able to use user-installed certificates, and recompiling: https://github.com/levyitay/AddSecurityExceptionAndroid

Also, if the app uses Google signin, you have to be rooted, because play services uses the package manager to check the app signer before giving the app a token.


Just wait until they go full 'treacherous computing' and turn on remote attestation using TPMs.


Remote attestations already exist with SafetyNet, but don't use TPMs (IIRC). TPMs are interesting because they allow local attestations; and it's happening already, for some use cases: https://android-developers.googleblog.com/2017/09/keystore-k...


wow... thanks for the link. I need to keep a closer eye on the platform, apparently.


Same here, mitmproxy was always the goto tool, but many apps now use certificate pinning, which stops it cold.

I was recently wishing for a "Jailbroken Mobile Testing Tool", similar to Sauce Labs or BrowserStack but with jailbroken mobiles -- i.e. a cloud-based service allowing you to remotely control a mobile phone through a web interface. Would that be interesting to have?

This service would allow you to load an app from the App Store / Google Play, and then interact with it while logging all network connections (in tcpdump/wireshark/HAR/etc. format). The controlled mobiles would be jailbroken and have tools like SSL kill switch (as mentioned by @bitexploder in another comment) installed by default.

(Going further: the same tool would allow you to download the phone's storage as a zip archive for further analysis)


It's been a while, but when I have been reversing android apps with certificate pinning in the past, I had the most luck with decompiling the apk with apktool, removing the certificate pinning in the samli bytecode, then recompiling and signing the apk again.

For iOS, I know there are jailbreak cydia tweaks that try to disable certificate pinning, but I have no experience with this.


For iOS, you can try to install SSL Killswitch on a jailbroken iPhone (https://github.com/nabla-c0d3/ssl-kill-switch2)


A custom Xposed module should work for Android, and Cydia Substrate could work for iOS.


I'd also love to know if there's a solution for this problem!


There is. It depends on the mobile OS and device.

We deal with this routinely. Solutions tend to vary.

On iOS just use SSL kill switch (if you are jailbroken). If you are not jailbroken you don't have a lot of options. On Android there are some well documented approaches. Usually decompiling the app and adding to the local app's cert store will work and then rearchive and sign it.

Function hooking key network calls can work as well. It is pretty much required that if you want to do serious tinkering or assessment you need a jailbroken or rooted device. This can be a significant effort investment, but once done is generally reliable.


what kind of problems?


Certificate Pinning (in apps) stops mitmproxy from proxying traffic to the servers you're mostly interested in proxying... see:

http://docs.mitmproxy.org/en/stable/certinstall.html#certifi...




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: