The Network Monitor captures, presents, and monitors HTTPS network traffic, transparently defeating certificate pinning.
Capture network traffic
Capture all network traffic for native files, as well as applications, in a single click. Captured HTTP and HTTPS network traffic and monitored iOS network traffic will appear in the Overview panel. Open a captured packet to display more information, an overview, request, and response.
Inspect network requests
The details panel contains three tabs. The Overview tab contains general information on the request; the Request tab contains HTTP headers captured when the request was made, as well as the body of requests like POST; the Response tab contains the same information, but for the response to the request.
Designed for security
When Network Monitor is active, all VM network traffic is redirected through sslsplit. sslsplit runs on the same Corellium compute node that the VM runs on; unencrypted HTTPS network traffic does not leave the node.
How it works
When Network Monitor is active, all VM network traffic is redirected through sslsplit which runs on the same Corellium compute node that the VM runs on; unencrypted HTTPS network traffic does not leave the node.
Corellium injects a Certificate Authority certificate into the trusted system certificate store.
To defeat certificate pinning, Corellium patches
sslsplit, the system's
boringssl library, and the integrated WebView's
sslsplit is patched to include the original certificate chain inside the generated certificate chain as an X.509 extension. boringssl is patched so that, if the leaf certificate of the original chain includes the X.509 extension, and if the leaf certificate validates against the injected Corellium certificate authority certificate, the original certificate chain is reported to clients of the library rather than the generated certificate chain. This chain is still subject to normal Android and/or
boringssl verification rules.