apk-mitm VS mitmproxy

For some reason fazolis rewards app from apkpure or anywhere has custom SSL Pinning (at least i think) I have tried patching fazolis rewards with https://github.com/shroudedcode/apk-mitm. And then using NoxPlayer for an emulator and mitmproxy to intercept https requests and some go through but others are not trusted by the client. What am I doing wrong? is it impossible for some applications?

If you want to capture and decrypt the traffic from one or a few apps without root, you can use apk-mitm to reverse engineering the apps to install a network config file which allows you to use user CA to decrypt the traffic of that app. apk-mitm will do everything for you, you will just have to reinstall the app(it requires first to uninstall from the phone because the app's signature will be different and it will not allow installing the apks from apk-mitm as an update to the original app). Modern apps use split apks, you can use SAI to install an app from split apks.

> For example, Chrome Desktop, Firefox, and IE did not enforce HPKP if they encountered a cert from a user-added CA. Why does Android do the opposite?

Your examples are all browsers. I understood that Chrome on Android will continue to support using a user-added CA added to the user store. Android and desktops behave exactly the same for web browsers.

Non-browser apps are where the differences exist. On Android you must opt-in each app to trust the user store. I'd imagine that the next step is automating https://github.com/shroudedcode/apk-mitm to bulk replace all installed apps with modified apks.

You can use (apk-mitm)[https://github.com/shroudedcode/apk-mitm]. Simply load the API and wait for the patched version. Then download HTTP canary or use Fidler (whatever you prefer). I prefer using HTTP canary since I can intercept the API without looking through the random other requests on my PC. You also don't need a rooted phone which is a +

This statement gives a false sense of security. You can use a transparent proxy, like mitmproxy, to view HTTPS traffic - https://mitmproxy.org/. https://reedmideke.github.io/networking/2021/01/04/mitmproxy-openwrt.html

You'll need to install mitmproxy and set it up on your computer and iOS. I won't go into too much detail here on how to do this, but there are plenty of guides available. This is a pretty good one: https://nadav.ca/2021/02/26/inspecting-an-iphone-s-https-traffic/

TIL this goes back to 2006, how cool! We nowadays have a much simpler version as a mitmproxy example: https://github.com/mitmproxy/mitmproxy/blob/main/examples/ad.... Although it obviously does not work as well anymore with everything being HTTPS nowadays (unless you trust the cert of course). :)

Perhaps you could have your device use a proxy that can do the HTTPS unwrap for you? https://mitmproxy.org/ maybe?

A great way to test the effectiveness of a pinning implementation is by simulating an MITM attack. Tools like Mitmproxy or Wireshack allow us to create a test environment to monitor, intercept, and proxy network requests for a test host.