1.2 Check certificate

openssl pkcs7 -inform DER -in META-INF/*.RSA -noout -print_certs -text

or (optional)

jarsigner -verify -verbose -certs app_name.apk

• jarsigner --> huge output (each file gets validated)

• cert location:

  • unzip.apk --> META-INF/*.RSA

  • jadx app_name.apk --> resources/META-INF/*.RSA

• custom CAs may be definded: res/xml/network_security_config.xml (or similar name)

  • also cert-pinning info available there (i.e expiration)

THINGS TO REPORT

• CN=Android Debug (=debug cert -> public known private key)

• Cert is already expired

• The CA that issued the server certificate was unknown

• Cert was self signed

• The server configuration is missing an intermediate CA

• No cert-pinning (public key pinning) enabled (if you are able to route traffic through a proxy)

• cleartext Traffic is allowed (until Android 8.1):

  • <base-config cleartextTrafficPermitted="true">

  • <domain-config cleartextTrafficPermitted="true">

MORE DETAILS

• Manifest permissions

• SSL common problems

• ssltest