Failed to Capture Binance App Packets with Charles: Certificate Pinning Explained

When technical researchers or security auditors attempt to capture HTTPS traffic from the Binance App using Charles or mitmproxy, they find that the app either outright rejects the connection or throws an SSL error. This occurs because Binance has implemented Certificate Pinning. This note explains the mechanism from a technical perspective. To download the app, visit the Binance Official Website or Binance Official App; for iPhone installation, refer to the iOS Setup Tutorial.

What is Certificate Pinning?

Standard HTTPS validation process:

1. The app initiates a connection.
2. The server returns its certificate.
3. The app checks if the certificate is issued by a Certificate Authority (CA) trusted by the system.
4. Any certificate signed by a trusted CA is accepted.

Certificate Pinning is a stricter check:

1. The app contains a built-in "expected certificate fingerprint."
2. After the server returns the certificate, the app checks not only the CA but also whether it matches the built-in fingerprint.
3. Mismatch → Connection rejected.

Why Do Financial Apps Implement Pinning?

To prevent Man-in-the-Middle (MitM) attacks:

• An attacker could trick a user into installing their root certificate.
• They could then hijack the traffic using their own certificate.
• Standard HTTPS validation would pass (because the root certificate has been whitelisted).
• However, Pinning would reject it (because the fingerprint doesn't match).

Financial apps like Binance, banks, and PayPal widely implement Pinning.

How Charles / mitmproxy Works

Steps for capturing HTTPS packets with Charles:

1. The device installs and trusts the Charles root certificate.
2. The proxy settings are pointed to Charles.
3. The app sends a request → Charles disguises itself as the target using its own certificate.
4. The app validates: CA is trusted (because the Charles certificate is installed).
5. A regular app accepts it → Packet capture succeeds.

But the Binance App adds an extra check in step 4:

5'. Check certificate fingerprint → Mismatch → Reject.

Therefore, the packet capture fails.

Specific Symptoms of Capture Failure

Symptom	Cause
Spinning wheel upon app launch	TLS handshake rejected
Blank market charts	WebSocket connection rejected
API returns connection error	Certificate validation failed
Charles shows SSL Handshake Error	Same as above
App crashes directly (rare)	Uncaught exception handling

Ways to Bypass Pinning

Researchers might use:

• Frida scripts: Dynamically replace the certificate validation logic within the app.
• LSPosed / Magisk modules: Inject modified code.
• Decompiling the APK, modifying the dex, and repackaging.
• Using a PIN-SSL modifier.

These methods require a rooted device and violate the app's terms of service. Binance App's security mechanisms may also detect these tools.

Why Regular Users Might Encounter This Issue

The vast majority of users never capture packets, but there are a few unexpected scenarios:

Scenario 1: Corporate Network SSL Interception Companies may decrypt HTTPS traffic at the router level for monitoring:

• They install the company root certificate on all employee devices.
• Traffic is decrypted.
• The Binance App rejects the connection (incorrect fingerprint).

Diagnosis: Check if other HTTPS-dependent apps, like banking apps, also fail to connect.

Scenario 2: Antivirus HTTPS Checking Antivirus software like Kaspersky or Avast scans HTTPS traffic:

• It uses a similar MitM approach.
• The Binance App might reject it.

Solution: Temporarily disable the antivirus HTTPS checking feature.

Scenario 3: Installed a "Network Accelerator" Some "accelerators" are actually functioning as traffic proxies:

• The user installs a root certificate without realizing it.
• The tool captures and accelerates traffic.
• Binance rejects it.

Solution: Uninstall accelerators from unknown sources.

The Pinning Update Mechanism

The Certificate Pinning fingerprint changes (when Binance replaces its certificate):

• Usually, the app has multiple built-in fingerprints.
• If one expires, it doesn't affect the connection.
• They are synced and updated when you upgrade the app.

If you do not upgrade the app for a long time, one day both the Pinning fingerprint and the server certificate might change, causing connection failures.

Different Client Implementations

Binance's Pinning strictness across platforms:

Client	Pinning Strictness
Android App	Strict
iOS App	Strict
Desktop Client	Strict
Browser	Not implemented (relies on OS trust)

Browsers do not have Pinning (which is why browsers can be subjected to MitM attacks, while the app cannot).

Packet Capture Alternatives

Alternatives for technical research:

• Use the official Binance API documentation (public).
• Use the interfaces provided by SDKs.
• Web version packet capture (using browser developer tools).
• Network layer packet capture (using Wireshark, but you can only see ciphertext).

None of these methods require breaking the app's security mechanisms.

Security Recommendations

• Do not install root certificates from unknown sources.
• Be cautious when using the Binance App on corporate or public Wi-Fi.
• Whitelist Binance if your antivirus's HTTPS check conflicts with it.
• Do not root your primary, frequently-used device.

FAQ

Q: Can Charles capture packets from the Binance web version? A: Yes (browsers do not have Pinning), but you can only see web traffic, not app traffic.

Q: Can mitmproxy disable Pinning for the Binance App? A: Not mitmproxy alone. It must be used in conjunction with tools like Frida.

Q: Will Binance be blocked after installing an enterprise root certificate on iOS? A: Possibly. It depends on whether the specific certificate is embedded into the trust chain.

Q: Is it possible to capture packets on a rooted Android device? A: It is theoretically possible using tools like Frida, but it violates the app's terms of service.

Further Reading

• Certificate Fingerprint Verification
• CDN Domain List
• APK Signature