Location: Australia

Remote: Yes

Willing to relocate:

Technologies: MuleSoft / Mule / Python / Java / C# / Test Automation / Security / REST and GraphQL Design / Integration Architect, RDMS, FaaS (AWS Lambda)

Résumé/CV: 8 years of MuleSoft / Mule experience, available on request

Email: mulesoft@tutanota.com

SEEKING WORK | APAC / Australia / New Zealand | Remote (US hours acceptable)

Integration and API development specialist, MuleSoft architect and API developer with 6+ years contracting experience and 8 years working with MuleSoft products. I have a history of working with some of the largest implementations globally.

Available to keep your partners and consultants honest or review and feedback your internal developers work, Mule application review, API strategy review, advice on how to reduce core utilization, migrate/transition off of the platform, version upgrades and platform stability improvements. Also available for implementation and solution design work. Hourly or per-project pricing available.

Skills: Mule / MuleSoft, test automation, performance testing, performance tuning, security review, CI/CD automation, monitoring and alerting, Java, Python, C#, RESTful APIs, GraphQL, event-driven architecture, digital transformation and integration modernization projects.

Email: mulesoft@tutanota.com

Great article Adam, fyi the LinkedIn link on your website is broken. Was trying to look up your history.

Also Ctrl F: "beleive" -> "believe"

Thanks - I'll fix that. There aren't too many Adam Gordon Bell's out there though.

Certificate pinning has made this a pain in the arse.

You can only pin your own certificate, not someone else’s. In this case you probably don’t even need SSL proxying to pin down the culprit, as I dare say not many apps connect to wikimedia on startup. You do need SSL proxying to be sure though.

The app may not load at all with mitmproxy if it has pinned its server cert though.

No, you can selectively decrypt HTTPS requests for only some domains, and act as passthrough for others.

Nope. Starting from Android 10, unless an app has explicitly allowed user certificates (and no-one reasonably does, it's all behind a <debug-overrides> flag), you will not be able to MITM it. You may inject your certificates as much as you want. The only option is to have a device on which you have root access, which can push system certificates with adb. This pretty much only means the android emulator these days.

I don’t use Android so I wasn’t aware of that. But that’s a completely separate concern from cert pinning which does not hinder decrypting third party connections at all.

Edit: after looking into this a bit, this is pretty nuts. How do enterprises inject certificates now?

re enterprise injection:

They don't. It's been made increasingly clear that allowing certs roots to infect unrelated apps is a Bad Thing. MDM profiles etc presumably allow internal certs to be deployed, but those are hopefully limited as countries, let alone companies, have attempted to use those mechanisms to spy on millions of people.

So it's still possible on rooted devices? Seems good enough.

MS and Boomi runs on AWS. Not those ones.

Mulesoft on AWS is a mess, though I'm not sure if that's Mule's fault, AWS's fault, or the fact that it's an integration platform and it's always a damn mess.

Hey Gene, share a link to this post with your MuleSoft Customer Success Manager. Salesforce's acquisition made some changes to how we work with Not for Profit customers. If you're in my region, I look forward to seeing if we can help. Overhauling Enterprise integration for cost alone sucks, especially since it seems like you're happy with product.