What is the best way to analyze requests sent by a mobile application over SSL? The communication protocol is not necessarily HTTP/S so intercepting them with BURP/ZAP/Fiddler or any other HTTP proxy will not necessarily work, but - How do I get the traffic to even reach the proxy?
I've read some material here relating to similar subjects but I couldn't find description of a complete flow I could follow to actually perform this task.
Does the device on which the application is installed need to be rooted for me to perform this task?
If the application uses certificate pinning, is there still a way to do this?
I am specifically interested in understanding how the Whatsapp security model works - i.e. what mechanism do they have in place to prevent a malicious user to fetch the chat history of a legitimate user (seeing as there is no actual login - Is there a cookie/another mechanism sent from the device identifying the user in front of the server?)
My organization is considering implementing a messaging application that works in a similar way and we are trying to make sure that a malicious user cannot steal the identity of a legitimate user. (we are not intending to implement a login mechanism)
Aucun commentaire:
Enregistrer un commentaire