Home » Android » Android: prevent sniffing (e.g. with CharlesProxy) of SSL traffic

Android: prevent sniffing (e.g. with CharlesProxy) of SSL traffic

Posted by: admin June 16, 2020 Leave a comment

Questions:

I use Charles to check what data is send throw my app to HTTPS. I installed the Charles CA cert on my phone and because of that, I’m able to decrypt every SSL traffic.

But I found apps, where I’m not possible to see the SSL traffic. How can I implement this behavior into my own app? With this, no man in the middle attack would be possible.

How to&Answers:

…I installed the Charles CA cert on my phone and because of that, I’m able to decrypt every SSL traffic.

But I found apps, where I’m not possible to see the SSL traffic. How can I implement this behavior into my own app? With this, no man in the middle attack would be possible.

This can be done with certificate/public key pinning, where you don’t check the servers certificate against the local root certificates, but instead make sure that you only get the expected certificate. See OWASP for details and code samples.

Answer:

Certificate Pinning is what you are after, but be aware that doing so is not without its disadvantages and complications. Certificate pinning adds a layer of complexity to your system which means more work on deployment day and one more thing that can go wrong.

A classic mistake that is made with Certificate Pinning is that the backend team will update/change/tweak the server certificate when they release an update, and forget that the clients are using certificate pinning, which will basically bring your entire system to a halt.

The reason that the big boys use it is to disguise their api so that it is difficult for hackers/leechers to make uninvited calls into their backend.