Android: prevent sniffing (e.g. with CharlesProxy) of SSL traffic

Question

I use Charles to check what data is send throw my app to HTTPS. I installed the Charles CA cert on my phone and because of that, I\'m able to decrypt every SSL traffic.

Answer 1

Certificate Pinning is what you are after, but be aware that doing so is not without its disadvantages and complications. Certificate pinning adds a layer of complexity to your system which means more work on deployment day and one more thing that can go wrong.

A classic mistake that is made with Certificate Pinning is that the backend team will update/change/tweak the server certificate when they release an update, and forget that the clients are using certificate pinning, which will basically bring your entire system to a halt.

The reason that the big boys use it is to disguise their api so that it is difficult for hackers/leechers to make uninvited calls into their backend.