-1

I have SSL connection. If I use feddler or Charles app, and I can to see decrypted SSL data. How I can to prevent this bug?

Update: I was NOT imported the certificate for Charles, my android device is rooted and I use Proxy Droid app and allowed untrusted apps. After this manipulations I can to see decrypted data. I want to block this bug...

Update2: I use the class EasyX509TrustManager.java (apache) for checking the certificate. You can see void checkServerTrusted. If I use "certificates[0].checkValidity();" - certificate ALWAYS valid, but if I use "standardTrustManager.checkServerTrusted( certificates, authType );" - the certificate can be valid (charles turned off) or invalid (with charles). without "certificates[0].checkValidity();" it works fine, but I'm not sure if that is right.

monyag
  • 800
  • 3
  • 9
  • 27
  • Could you be a little more clear about what you're trying to block (and possibly why). The two apps you mention are web debugging proxies that can not be used to hack your user's data as you have to point the app directly at them. – Philip Couling May 20 '13 at 12:16
  • Is it your app? Do you bypass certificate verification in the first place? – Bruno May 20 '13 at 12:25
  • Yes, it my application. I want to block this "hack", but not allow all certificates. – monyag May 20 '13 at 13:04

1 Answers1

0

If you haven't imported Charles' or Fiddler's certificate and you're still seeing the traffic from your device, that means that you're not using HTTPS properly. You need to configure your code so that it performs proper chain-checking on the certificate used to secure the HTTPS connection. In most language/framework stacks, this happens automatically and you have to go out of the way to override it.

What language/framework are you using, and what object are you using to send the request?

If you have imported the debugger's certificate to the device, then by default most language/frameworks will deem it to be trusted. To prevent that, your code most manually evaluate the certificate chain from the server before allowing communication to proceed. This technique is called "Certificate pinning."

EricLaw
  • 56,563
  • 7
  • 151
  • 196
  • I use the class EasyX509TrustManager.java (apache) for checking the certificate. You can see void checkServerTrusted. If I use "certificates[0].checkValidity();" - certificate ALWAYS valid, but if I use "standardTrustManager.checkServerTrusted( certificates, authType );" - the certificate can be valid (charles turned off) or invalid (with charles). But I think, that it not solved my problem? – monyag May 23 '13 at 08:14
  • without "certificates[0].checkValidity();" it works fine, but I'm not sure if that is right. – monyag May 23 '13 at 08:22