When Network Monitor is active, all VM network traffic is redirected through sslsplit which runs on the same Corellium compute node that the VM runs on; unencrypted HTTPS network traffic does not leave the node.

Corellium injects a Certificate Authority certificate into the trusted system certificate store.

To defeat certificate pinning, Corellium patches sslsplit, the system's boringssl library, and the integrated WebView's boringssl library. sslsplit is patched to include the original certificate chain inside the generated certificate chain as an X.509 extension. boringssl is patched so that, if the leaf certificate of the original chain includes the X.509 extension, and if the leaf certificate validates against the injected Corellium certificate authority certificate, the original certificate chain is reported to clients of the library rather than the generated certificate chain. This chain is still subject to normal Android and/or boringssl verification rules.

Did this answer your question?