The Network Monitor captures and presents HTTP and HTTPS network traffic, transparently defeating certificate pinning. In the device screen, you can find this in the Network tab.

Corellium Network Monitor

To start capturing network traffic, click Start Monitoring. Captured HTTP and HTTPS network traffic will appear in the Overview panel. Click a captured packet to display more information, an overview, the request, and the response, in the details panel below.

Corellium Network Response

The details panel contains three tabs. The Overview tab contains general information on the request; the Request tab contains HTTP headers captured when the request was made, as well as the body of requests like POST; the Response tab contains the same information, but for the response to the request.

To stop capturing network traffic, click Stop Monitoring.

Implementation Notes

When Network Monitor is active, all VM network traffic is redirected through sslsplit. sslsplit runs on the same Corellium compute node that the VM runs on; unencrypted HTTPS network traffic does not leave the node.

Corellium injects a Certificate Authority certificate into the trusted system certificate store.

To defeat certificate pinning, Corellium patches sslsplit, the system's boringssl library, and the integrated WebView's boringssl library. sslsplit is patched to include the original certificate chain inside the generated certificate chain as an X.509 extension. boringssl is patched so that, if the leaf certificate of the original chain includes the X.509 extension, and if the leaf certificate validates against the injected Corellium certificate authority certificate, the original certificate chain is reported to clients of the library rather than the generated certificate chain. This chain is still subject to normal Android and/or boringssl verification rules.

Did this answer your question?