I'm wondering if it is still possible these days to proxy/spoof traffic on secured apps for example the Mcdonald's app. I use this example because it's a well known app with a lot of securities in place:
- Safetynet checks
- Root checks
- Certificate pinning
- SSL encryption
- Proxy aware
On android you could root your phone. Use Magisk hide so the app passes the root checks, U could use Universal safetynet fix to still pas Safetynet. With move certificates u could install the certificate of your proxy into the system certificates on android. And if you would use mitmproxy in transparent mode the app would not be aware its being proxied. But then there's still certificate pinning... For that there are modules like TrustmeAlready (EdXposed) and SSLUnpinning or Frida's universal SSL unpinning script. The latter requires me to disable Magisk hide for the app so the root checks would fail and the former also makes it impossible to start the app (app shows an error).
Are there setups, tools, methods in order to still successfully proxy the traffic without the app complaining?