Android: prevent sniffing (e.g. with CharlesProxy) of SSL traffic

后端 未结 2 709
萌比男神i
萌比男神i 2021-02-06 02:23

I use Charles to check what data is send throw my app to HTTPS. I installed the Charles CA cert on my phone and because of that, I\'m able to decrypt every SSL traffic.

2条回答
  •  时光说笑
    2021-02-06 02:35

    Certificate Pinning is what you are after, but be aware that doing so is not without its disadvantages and complications. Certificate pinning adds a layer of complexity to your system which means more work on deployment day and one more thing that can go wrong.

    A classic mistake that is made with Certificate Pinning is that the backend team will update/change/tweak the server certificate when they release an update, and forget that the clients are using certificate pinning, which will basically bring your entire system to a halt.

    The reason that the big boys use it is to disguise their api so that it is difficult for hackers/leechers to make uninvited calls into their backend.

提交回复
热议问题