Certificate pinning

Some apps use certificate pinning or custom trust logic. In these cases, HTTPS MITM will fail and Trace will fall back to passthrough.

What you will see

• The request appears, but the body may be empty or encrypted.
• The Certificate tab shows the original server certificate.
• The connection may fail if the app rejects the MITM certificate.

How to recognize pinning

• HTTPS bodies stay encrypted even after installing the root CA.
• Requests fail with TLS errors or retries.
• The app works without Trace but fails when capture is active.

What you can do

• Disable HTTPS inspection for that app or host if you only need metadata.
• Use full-tunnel mode to capture more context, then analyze with exports.
• Use a debug build of the app with pinning disabled (recommended for internal apps).