<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<title>Cert-Pinning on Crusader Research</title>
		<link>https://crusaderproxy.com/research/en/tags/cert-pinning/</link>
		<description>Recent content in Cert-Pinning on Crusader Research</description>
		<generator>Hugo</generator>
		<language>en-US</language>
		
		
		
		
			<lastBuildDate>Thu, 02 Jul 2026 00:00:00 +0000</lastBuildDate>
		
			<atom:link href="https://crusaderproxy.com/research/en/tags/cert-pinning/index.xml" rel="self" type="application/rss+xml" />
			<item>
				<title>The Android 14 CA move that broke every &#39;/system/etc&#39; pinning tutorial</title>
				<link>https://crusaderproxy.com/research/en/posts/intercepting-mobile-apps-that-fight-back/</link>
				<pubDate>Thu, 02 Jul 2026 00:00:00 +0000</pubDate>
				<guid>https://crusaderproxy.com/research/en/posts/intercepting-mobile-apps-that-fight-back/</guid>
				<description>&lt;p&gt;Ninety percent of mobile testing is web testing you already know — REST, tokens, IDOR, injection. The other ten percent is a wall you hit before you can do &lt;em&gt;any&lt;/em&gt; of it: getting the app&amp;rsquo;s HTTPS traffic to land in your proxy as plaintext. And most write-ups get that ten percent wrong, because they were written for an Android that no longer exists. You follow the steps, the cert goes into &lt;code&gt;/system&lt;/code&gt;, the app still throws handshake errors, and you conclude the app has exotic pinning. It doesn&amp;rsquo;t. &lt;strong&gt;Google moved the trust store out from under you and the tutorial never noticed.&lt;/strong&gt;&lt;/p&gt;</description>
			</item>
	</channel>
</rss>
