1

I am using https request for web API in my app. But I know Charles allowed to access https request also, via install root certificates on device. So, someone downloaded the app from PlayStore and installed root certificates on his device and got my Web API.

So, Please give me advice how i can protect my WebAPI.

user3382203
  • 11
  • 10
  • The question seems related to [this question](https://security.stackexchange.com/q/42586/37864) – Josef Nov 27 '18 at 11:32
  • I think question is different from this [This Question](https://security.stackexchange.com/q/42586/37864). – Pramod Tapaniya Nov 28 '18 at 06:18
  • @Josef In that question ask about Access Web-Service from Un-Authorize user only. I am asking Web-Service hit from app, will not show in charles. – Pramod Tapaniya Nov 28 '18 at 06:25

1 Answers1

1

You can't.

You can explicitly check the certificate used in your app.This will make it harder for anyone to use a MITM proxy. But if the app is running on the device of the attacker, they can change the code and allow their own certificate.

Josef
  • 5,903
  • 25
  • 33