Most likely ip address.

For newer android apps this is no longer true. By default, apps only trust system CA's. User added System CA's are not trusted by apps. I believe only the browser uses the user added CA's.

That is why these systems generate their own certificate that you add to your phone, so you still can see the traffic.

For MITMProxy you can visit http://mimt.it when the setup is running.

A bit more difficult with “pinned-setificate” where you have to:

1) Decompile the app (easy if you search for the online APK-download and APK-decompile tools)

2) Move the certificate out of the APK and use it for the traffic between MITMProxy/Charles and the server

3) Replace the certificate in the APK with one generated for MITMProxy/Charles, or just delete it if that works for the app (most likely not)

4) Re-compile the APK and install on your device

5) Run MITMProxy/Charles as before, just with some parameters to load the “pinned-certificate”

(There is also a lot of guides for this. Maybe not for pinned-certificate.)

1) decompile 2) remove the line that does the pinning (Easy to find) 3) recompile and sign

5 minutes

It can be crazier than that. App makers who work with important APIs often pin to specific certificates (not signers) so we have an one final absolute emergency measure to kill a version and force an upgrade when we have to.

That is what I refer to as pinned-certificate. Not often used except from some of the biggest companies like Facebook and Snapchat. See my answer on how to go around this.

Your answer sure wouldn't work for my tiny startup's app's pinning and we followed a guide initially.