Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Android: prevent sniffing (e.g. with CharlesProxy) of SSL traffic

I use Charles to check what data is send throw my app to HTTPS. I installed the Charles CA cert on my phone and because of that, I'm able to decrypt every SSL traffic.

But I found apps, where I'm not possible to see the SSL traffic. How can I implement this behavior into my own app? With this, no man in the middle attack would be possible.

like image 806
mars3142 Avatar asked Dec 04 '14 08:12

mars3142


2 Answers

...I installed the Charles CA cert on my phone and because of that, I'm able to decrypt every SSL traffic.

But I found apps, where I'm not possible to see the SSL traffic. How can I implement this behavior into my own app? With this, no man in the middle attack would be possible.

This can be done with certificate/public key pinning, where you don't check the servers certificate against the local root certificates, but instead make sure that you only get the expected certificate. See OWASP for details and code samples.

like image 117
Steffen Ullrich Avatar answered Nov 15 '22 21:11

Steffen Ullrich


Certificate Pinning is what you are after, but be aware that doing so is not without its disadvantages and complications. Certificate pinning adds a layer of complexity to your system which means more work on deployment day and one more thing that can go wrong.

A classic mistake that is made with Certificate Pinning is that the backend team will update/change/tweak the server certificate when they release an update, and forget that the clients are using certificate pinning, which will basically bring your entire system to a halt.

The reason that the big boys use it is to disguise their api so that it is difficult for hackers/leechers to make uninvited calls into their backend.

like image 21
shredder Avatar answered Nov 15 '22 19:11

shredder