api can be intercepted by Burp after implemented it if android API level < 24

[wxhawk]

after implemented it in android, the api still can be intercepted by Burp, you can see the request/response and modify them, if api level <24, it is not supposed to happen.

[nabla-c0d3]

Have you used this in your config: <trustkit-config enforcePinning="true"> ?

[wxhawk]

@nabla-c0d3 yes, I did, but that does not help.

[jobot0]

Hey @wxhawk are you still experiencing this issue ? Because I was not able to reproduce the problem.

[wxhawk]

@jobot0 good news!!!

How did you reproduce it? did you use Burp as proxy to intercept all the network traffic from mobile app? Both the pen tester and myself can reproduce the case. oh, I forgot to mention 1 important thing, I am developing a React Native app. How does it support react native app?

[jobot0]

@wxhawk sorry for the delay of my answer. I just did the minimal Burp test (meaning just installed Burp on a device (23), trying to intercept the request) and the TrustKit seems to work. I need to setup a Reactive Native environment. I have not done myself the support for React Native but I'll definitely have a look to understand why you still have the issue.

[ppamorim]

I am having the same issue with a native app.

[jobot0]

Hey @wxhawk quick update I'm still investigating the issue 😅 Sorry for the delay I had a lot of on my plate recently and I'm also facing the Mojave/Burp issue

@ppamorim are you talking about a Reactive Native app or native app written only with the Android framework ?

[ppamorim]

@jobot0 Native app written in Kotlin. I needed to add the certificate manually on the xml file. :(

[AbhishekCode]

Facing similar issue. my targetSdkVersion is 26 And enforcePinning is true.

[nabla-c0d3]

TrustKit does not officially support react-native (we've never tested it) so I'll close this issue. If the problem is still happening with a non-react app, please open a new ticket with a copy of your network policy configuration. Thanks!