PTKDMobile App Security
Knowledge base / PTKD-DYN-NOPINNING
high M5 MASVS-NETWORK-2 dynamic analysis PTKD-DYN-NOPINNING

TLS interception succeeded (no certificate pinning)

HTTPS requests completed through the proxy's custom CA, which means the app accepted a substituted certificate, so it does not pin or properly validate certificates, enabling MITM.

How it's exploited

The test proxy presented a certificate from a custom CA and the app accepted it: TLS interception succeeded end to end. Any attacker who gets a CA onto the device (or strips validation) reads all traffic.

Why it matters

Proven-in-practice interceptability of your API traffic, including auth flows.

How to fix it

  1. Pin your API hosts: network-security-config <pin-set> on Android, and on iOS use NSPinnedDomains or TrustKit.
  2. Pin the SPKI of your leaf or intermediate with a backup pin, and alert on pin failures rather than silently failing open.
Android pin-set
<domain-config>
  <domain includeSubdomains="true">api.example.com</domain>
  <pin-set expiration="2027-01-01">
    <pin digest="SHA-256">base64+primary+spki+hash=</pin>
    <pin digest="SHA-256">base64+backup+spki+hash=</pin>
  </pin-set>
</domain-config>

References