Indeed Certificate pinning is a pretty good defense in depth.
Because, using mobile apps let an attacker know all the requests and response (your all API basically) as it can decrypt easily https.
And so, it is easy to know the request body, even if you hided it in a POST (as the body is encrypted with https).
Moreover, I would say, that for very specific app (banking app, etc...), you should obfuscate your application.
I wrote this article about application obfuscation :
Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities
InsecureBankv2 Readme
This is a major update to one of my previous projects - "InsecureBank". This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. It is compatible with Python2. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source. The list of vulnerabilities that are currently included in this release are:
I created some tools to automate penetration testing on android mobile applications and tried it against this app as a first try during development before trying it against other applications.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
That is an interesting article.
Indeed Certificate pinning is a pretty good defense in depth.
Because, using mobile apps let an attacker know all the requests and response (your all API basically) as it can decrypt easily https.
And so, it is easy to know the request body, even if you hided it in a POST (as the body is encrypted with https).
Moreover, I would say, that for very specific app (banking app, etc...), you should obfuscate your application.
I wrote this article about application obfuscation :
Application Obfuscation on iOS
Rémi Lavedrine ・ Jun 27 '19 ・ 7 min read
Dexprotector is a pretty good obfuscator.
And to try your tools against an on-purpose vulnerable app, you can use InsecureBank-v2
Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities
InsecureBankv2 Readme
This is a major update to one of my previous projects - "InsecureBank". This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. It is compatible with Python2. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source. The list of vulnerabilities that are currently included in this release are:
I created some tools to automate penetration testing on android mobile applications and tried it against this app as a first try during development before trying it against other applications.