aishwaryabhishek3
02/27/2023, 10:56 AMPackageManager.GET_SIGNING_CERTIFICATES
so I do not have to store it any where in my codebase as anything can be reverse engineered. Is this method secure or can any hacker figure out my SIGNING_CERTIFICATES as well ?CLOVIS
02/27/2023, 10:57 AMaishwaryabhishek3
02/27/2023, 10:59 AMCLOVIS
02/27/2023, 11:00 AMaishwaryabhishek3
02/27/2023, 11:01 AMCLOVIS
02/27/2023, 11:02 AMaishwaryabhishek3
02/27/2023, 11:03 AMCLOVIS
02/27/2023, 11:03 AMaishwaryabhishek3
02/27/2023, 11:04 AMCLOVIS
02/27/2023, 11:05 AMaishwaryabhishek3
02/27/2023, 11:05 AMCLOVIS
02/27/2023, 11:05 AMaishwaryabhishek3
02/27/2023, 11:06 AMCLOVIS
02/27/2023, 11:06 AMaishwaryabhishek3
02/27/2023, 11:07 AMCLOVIS
02/27/2023, 11:07 AMaishwaryabhishek3
02/27/2023, 11:10 AMCLOVIS
02/27/2023, 11:11 AMaishwaryabhishek3
02/27/2023, 11:13 AMCLOVIS
02/27/2023, 11:14 AMJonas de Faria Alves
02/27/2023, 1:46 PMIvan CLOVIS Canet [12:11 PM]
With regards to API keys specifically, they’re even easier to access: just setup a proxy and inject the fake certificate into the device, and you can listen in on all traffic (and read all credentials)That’s only true with unencrypted traffic, which no one should be doing, or when not pinning the certificate.
CLOVIS
02/27/2023, 1:58 PMaishwaryabhishek3
02/27/2023, 2:03 PMCLOVIS
02/27/2023, 2:04 PMaishwaryabhishek3
02/27/2023, 2:15 PMCLOVIS
02/27/2023, 2:16 PMAzamat Murzagalin
03/05/2023, 12:40 PM