1

We are working on a mobile app that communicates with the backend through REST API over SSL. Mobile device executes cert validation on the API call (using standard libraries in mobile frameworks). If we try to connect the mobile device through proxy (such as Charles), we see all the traffic, but it is encrypted - as expected. However, if I enable SSL proxy, generate root certificate and install that cert on my device, I will see all the data in clear text through Charles - again, as expected.

The question is, how to prevent this? The main target, of course, is to expose data ONLY if device calls allowed server with a valid certificate for that server.

Shurik Agulyansky
  • 2,607
  • 2
  • 34
  • 76

2 Answers2

2

Off hand the only way to prevent such a thing if the attacker has that level of access to the device would be to use SSL thumb printing. You would initiate a connection to the server. Retrieve the SSL certificate and compare this to a hard coded value within the app code. If this does not match abort the connection and don't send the data.

The issue with this however is the overhead if the SSL updates. You would need to release an update to the app with a fresh thumbprint value. This would also stop people using the app until they updated to the latest version.

Peter
  • 773
  • 1
  • 7
  • 23
0

The only way to prevent this is through certificate pinning, but if the attacker is able to install a root certificate before you connect for the first time to your API, you can still be MiM'ed.

MvdD
  • 22,082
  • 8
  • 65
  • 93
  • Does it mean that there is NO way to prevent this? Regardless of how complex the solution is. – Shurik Agulyansky Oct 13 '15 at 22:56
  • How could there be? The trust chain of the certificate tells you whether to trust the server you are connecting to. But if someone can install a root cert before you connect for the first time, there's no way to determine if the trust chain is genuine. – MvdD Oct 13 '15 at 23:01
  • For someone to be able to modify the root certificates on the device would mean they already have a high level of access to the device and if they really wanted too could do damage regardless of the SSL used. – Peter Oct 13 '15 at 23:03
  • 1
    Agree, but that was the question. – MvdD Oct 13 '15 at 23:07
  • My apologies I was actually responding to the op. – Peter Oct 13 '15 at 23:21