it's even easier than that as all apps (except native ones) will be using the java TrustManager interface
> Also, it takes more than one byte if the binary is obfuscated
but they can't hide the calls into TrustManager
a small utility could automatically take in the APK, patch out the calls and return the fixed APK for you
(would probably work for 99% of apps out of the box)
Is this required? i.e. do all apps have to use the TrustManager interface to accomplish cert pinning, or is that merely the official way?
well, Java is Turing complete, so you could completely re-implement TLS yourself instead of using the API that comes with the platform
in practice no-one is going to do that
it's even easier than that as all apps (except native ones) will be using the java TrustManager interface
> Also, it takes more than one byte if the binary is obfuscated
but they can't hide the calls into TrustManager
a small utility could automatically take in the APK, patch out the calls and return the fixed APK for you
(would probably work for 99% of apps out of the box)