-2

In my Android App we are using retrofit web service for communication to server. Some Hacker intercept request and modify it using some tool Burp Suit.

Please help me to let me know how I stop Intercept Attack.

Amit Yadav
  • 32,664
  • 6
  • 42
  • 57
  • You can try this https://stackoverflow.com/questions/7631025/securing-a-rest-api-accessible-from-android#answer-7631081 –  Nov 29 '21 at 06:16
  • 1
    There are too many ways to secure of your web service communications like encryption/decryption or adding auth keys in header. – Upendra Shah Nov 29 '21 at 13:31
  • 1
    If you want to stop people from reverse engineering your app, don’t. The best that can achieve is to undermine your users’ trust. – user3840170 Nov 29 '21 at 21:12

1 Answers1

1

What Burp Suit does - it basically performs a Man-in-the-middle attack. It generates an HTTPS certificate and pretends to be a browser.

The thing is if your server and your client are protected from this MITM attack - those tools won't work. At least in the mobile apps - the browser will show a security error but still will pass the data through.

The solution you can use is including your specific SSL certificate into the app and making the app consider it to be the only trusted one. It will be more or less secure - depending on the implementation. It is also free because you can attach a self-signed certificate you created yourself since you control the verification. Naturally, the backend should also use the same SSL certificate. While using this technique Burp Suit generated certificates won't work because the app knows only one trusted certificate.

The technique itself is called SSL pinning or certificate pinning and you can find plenty of info online about how to implement it both on the client and server.

I will give you several links though:

Here is the nice article about how to do it with retrofit(okhttp).

Here is the official documentation for OkHttp CertificatePinner

Here is the small implementation of retrofit SSL pinning.

Here is one more article.

It is not enough but the issue is complex and one StackOverflow answer won't suffice. But I think it is a good start to do the actual implementation.

Also as a small recommendation - use encryption to store your SSL certificate key instead of plain string storage - it still won't be secure from memory spoofing but it will be much harder for the hacker to use it.

Pavlo Ostasha
  • 14,527
  • 11
  • 35
  • SSL already implement in our website which connected to application. When I start testing I bypass that SSL pinning and perform attack. How I avoid bypass SSL pinning??? – Amit Yadav Dec 01 '21 at 09:51
  • It means that SSL pinning is not set up properly on either the client-side or server-side. I have implemented it also in several apps - everything worked as expected. You can also use [this](https://stackoverflow.com/a/7631081/9248201) - I am not sure it will work in your case, though, but it is an easier solution. It will require work from both client and server. – Pavlo Ostasha Dec 01 '21 at 09:56