In our android app using rest api. when i try to capture request and response via pocket capture android app it is showing what is request and response. i want to prevent http capture for request and response.
Asked
Active
Viewed 2,756 times
1
-
I have seen this post various method to capture request and response from android app [http://stackoverflow.com/questions/27887719/how-can-i-capture-packets-in-android]. – Kumar Jan 04 '17 at 14:11
-
2Use SSL certificate pinning. Then, at least, the attacker needs to modify your app to remove that pinning. However, in the end, you have no practical means of stopping packet inspection, simply because the attacker can always modify your app to disable any prevention mechanisms that you add. – CommonsWare Jan 04 '17 at 14:17
-
@CommonsWare thanks your comment. we are using SSL my worry is user can able to see the token and what are the data flowing mobile app to server. – Kumar Jan 04 '17 at 14:33
1 Answers
4
Disable HTTP without TLS on your server, use certificate pinning on the client. The attacker will only be able to see requests (by reverse engineering or modifying the application). There is no way to be 100% secure in this case. If the user has network access he will be able to see the data. HTTPS and certificate pinning will be reasonable big obstacle for most attackers.
Jonas Köritz
- 2,606
- 21
- 33
-
thanks your valuable answer. If server change certificate what happen my existing app users. i have refer this link (https://artemzin.com/blog/certificate-pinning-notes-for-android-java/). – Kumar Jan 05 '17 at 04:38