androidproxyfiddlernetwork-traffic

How to secure android app from network traffic capturing


My app is making some http requests and I don't want others to see the content of those requests. At the moment I can easily check what my app is doing by using Fiddler. Now in order to track network traffic on my phone I had to change my Wi-Fi settings and connect to the Internet using proxy server. i.e. my computer. Is it possible to programatically check whether phone is using proxy? If knew that phone is using proxy I would forbid user using the app by showing some error dialog. Are there any ways of solving this problem? I've seen apps that work on normal Wi-Fi settings but does not when using proxy therefore I assume there is a solution. By the way I'm using retrofit library for making requests.


Solution

  • Moving your traffic to use HTTPS will help protect it against network snoops like Fiddler.

    However, Fiddler can decrypt HTTPS traffic with the user's help, which means that you can't only use HTTPS, you also need to implement Certificate Pinning, whereby the client code verifies that the server presented one specific certificate (not the interception certificate Fiddler generates).

    However, even that doesn't really solve the problem, as the user can simply jailbreak their device and disable your certificate pinning code.

    You should probably step back and reconsider what threats specifically you're trying to protect against and then update your question appropriately.