I'm trying to intercept traffic from an Andriod app.
I've forwarded ports 80, 443, 6699 and 6698 on Kali to a listener port and set up arp-spoofing. I'm using BurpSuite on the same computer to listen and intercept (invisible proxy).
Certificates have been installed properly on both host and device and are working for all traffic except the app I'm interested in.
Using Frida I've tried various SSL pinning bypass scripts (the most popular) and none have been successful, Burp continues to report a TLS fatal exception ca_unknown and the app's function remains restricted.
The app in question is a ISP router companion app, you use it to get live information about the internet connection and can use it to change settings on the router. The traffic is local, using TCP port 6699 but can also use 6698.
Are there any clues I can look for in the apk which may point me towards the SSL methods being employed by the app? I've had a look and can see directories for OKHTTP3 and BouncyCastle.
The parts of the app that communicate remotely (cloud API calls) can be intercepted without issue.
Could the problem be something entirely different than SSL pinning given this particular issue is solely based on local communication? My train of thought being, why employ SSL pinning for traffic that'll only ever be local?