SSL pinning is getting tampered in ionic android

we have developed Ionic app, in that SSL pinning using advancedHttpPlugin but still, the security team was able to use a third party tool to install a CA in the mobile and track the application, they provided below message for fixing the issue.

Secure Socket Layers (SSL), or Transport Layer Security (TLS) in its more modern implementation, are protocols designed to provide security for network communication by means of encryption. This protocol is most commonly associated with other protocols to provide a secure implementation of the service that protocol provides. Certificate pinning is the process of associating the backend server with a particular X.509 certificate or public key instead of accepting any certificate signed by a trusted certificate authority. After storing (“pinning”) the server certificate or public key, the mobile app will subsequently connect to the known server only. Withdrawing trust from external certificate authorities reduces the attack surface (after all, there are many cases of certificate authorities that have been compromised or tricked into issuing certificates to impostors). a) In order to make your communication safer, explicitly compare the SSL certificate used for the connection with an expected client-side certificate.

On Ionic, is there any other method we need to include to also restrict Burp CA?
We followed this blog for SSL Pinning

Please help me to fix this, Thanks In advance.

Ionic/Capacitor now offers first party support for SSL pinning, though it requires an Enterprise license I think.

There seems to be several SSL Pinning issues with the Cordova plugin you are using.

Thanks [twestrick] for quick reply .
We have applied above mechanism but our security is able the decompile the app and they are able to tamper the certificate from WWW/Certificate folder.
How to restrict decompile of WWW Folder

I have almost zero knowledge of SSL pinning besides from what I read today in Ionic’s blog and the additional details here.

With that said, I don’t see why having the ability to tamper with the cert is a problem. The certificate in the app is the public certificate from your server so it is fine being seen publicly. Then, if the cert is tampered with within the app, the app would refuse to connect to your server because the cert wouldn’t be valid when it tries to validate against your server’s cert.

I could be missing something :thinking: