Android: prevent sniffing (e.g. with CharlesProxy) of SSL traffic

若如初见. 提交于 2019-12-03 03:08:25

...I installed the Charles CA cert on my phone and because of that, I'm able to decrypt every SSL traffic.

But I found apps, where I'm not possible to see the SSL traffic. How can I implement this behavior into my own app? With this, no man in the middle attack would be possible.

This can be done with certificate/public key pinning, where you don't check the servers certificate against the local root certificates, but instead make sure that you only get the expected certificate. See OWASP for details and code samples.

Certificate Pinning is what you are after, but be aware that doing so is not without its disadvantages and complications. Certificate pinning adds a layer of complexity to your system which means more work on deployment day and one more thing that can go wrong.

A classic mistake that is made with Certificate Pinning is that the backend team will update/change/tweak the server certificate when they release an update, and forget that the clients are using certificate pinning, which will basically bring your entire system to a halt.

The reason that the big boys use it is to disguise their api so that it is difficult for hackers/leechers to make uninvited calls into their backend.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!