Employee achievement | Pankaj Battise

In my opinion, Knowledge and technology are an ocean and every individual is a swimmer who can dive in as deep as he can.

I have been interested in mobility from the initial phase of my career and I am really fortunate enough that I am getting the subsequent chances to work on the domain.

Today I would like to share one of my interesting experiences related to the security aspect.

If you are using HTTPS:// over HTTP:// while making a server call, do you really think it’s a secure way for communication between server and client? Most the folks will think that YES it’s a secure way.

Actually, it’s not guaranteed to be 100 percent secure and here SSL pining concept comes into the picture. 

I was able to crack HTTP requests very easily in one of my applications with the help of Charles’s third-party tool by configuring it as a proxy server in the mobile device.

The solution to the problem was to use HTTPS requests over the network. I did those changes and tried with Charles again and surprisingly the request failed saying that Charles’s proxy is in place somewhere so a secure connection to the server cannot be made.

At this point, I tried to break security by introducing a fake certificate downloaded from Charles and installed on the client (mobile device). This time I was able to intercept the request easily. 

Here we can restrict this scenario by SSL pining concept where certificate issued from the authority can be pinned into the app bundle so that each request can be performed after comparing certificates. 

What are your thoughts on the subject?