Overriding Default Implementation/behavior to bypass certificate checks in testing/development phases left in the application
- Overriding TrustManager
look for keywords
- Does the application ignore TLS issues in webViews.
Look for keywords
- Is the app debugable ? does that affect the previous points
HostnameVerifier properly configured ? is it accepting any hostname ?
Testing Security Providers
- Use Xposed to hook into the
java.security package, then hook into
java.security.Security with the method
getProviders (with no arguments). The return value will be an array of
- Determine whether the first provider is