I need to creat scripts to a mobile application for a credit card issuer company. The app is responsible to show users balances and other account administration tasks.
The app uses "certificate pinning" ie, it does not uses the certificates on the device, but its own certificate is hardcoded.
We have tried several ways of recording the traffic of such application with no success.
Is there a solution for recording such a script? This techinique is becoming quite common and I want to know if in the future the only way to creat scripts for such apps would be to manually develop the calls.
Thanks a lot for your help,
Answer by Nyna W. ·
The security implemented in some banking mobile native applications always prevent the Recorder from recording the script. Especially for the HTTPS requests. Manual recording with HTTP Actions is the recommended way. The other way is to record a script to the API used by the app.
Answer by mark e. ·
You will not be able to "record" https traffic from a mobile app that uses certificate pinning. Even the best third-party proxy tools (e.g. Charles Proxy) state that they cannot support this due to fact that they act as man in the middle and its necessary for the server to be able to accept their SSL certificate, not just the one 'hard coded' into the app.
If you are manually trying to create a test using HTTP and custom actions it may be possible to use the Windows Recorder client certificate support to add your application certificate into the script. We essentially take the certificate and 'hard code' it into the script so if you can get a copy of the certificate to import (we support import of .P12 only) it may be possible for a manually scripted test to execute.
Alert on specific http status code 1 Answer