Mobile App Network Communication
If there are no tools listed after the heading, the links are just used to gather knowledge and information about the topic.
OWASP Certificate Pinning Cheat Sheetarrow-up-right
About Pinning Recommendations in Apple Developersarrow-up-right
OWASP MASTG Recommendationarrow-up-right
Burp Suitearrow-up-right
OWASP ZAParrow-up-right
Xamarin and Flutter apps usually bypass the system proxy, so these apps are not analysable from Burp or Zap.
Alternatives are:
Run the app on a VM and analyse the VM's HTTP(S) traffic
On iOS, with a Mac, create a Remote Virtual Interfacearrow-up-right
Configure a VPN on the device being tested (examplearrow-up-right)
On Android, use ProxyOnarrow-up-right
Take a look at section: Setting a Proxy Through Runtime Instrumentation
Burp-non-HTTP-Extensionarrow-up-right - Burp extension
Mitm-relayarrow-up-right - Burp extension
Hook methods responsible for traffic with Fridaarrow-up-right
Wiresharkarrow-up-right - Sniff traffic
bettercaparrow-up-right - MITM
Wiresharkarrow-up-right (in CLI TSharkarrow-up-right)
tcpdumparrow-up-right
Fridaarrow-up-right
Cycriptarrow-up-right
Inspeckagearrow-up-right - Dynamic APK analyser
nscurlarrow-up-right - Apple command to verify TLS setting
testssl.sharrow-up-right - Command line tool to check TLS support
Last updated 3 years ago