Protect app from Http Proxy like Charles

Question

I am using https request for web API in my app. But I know Charles allowed to access https request also, via install root certificates on device. So, someone downloaded the app from PlayStore and installed root certificates on his device and got my Web API.

So, Please give me advice how i can protect my WebAPI.

The question seems related to [this question](https://security.stackexchange.com/q/42586/37864) — Josef, Nov 27 '18 at 11:32
I think question is different from this [This Question](https://security.stackexchange.com/q/42586/37864). — Pramod Tapaniya, Nov 28 '18 at 06:18
@Josef In that question ask about Access Web-Service from Un-Authorize user only. I am asking Web-Service hit from app, will not show in charles. — Pramod Tapaniya, Nov 28 '18 at 06:25

score 1 · Answer 1 · answered Nov 27 '18 at 11:27

1

You can't.

You can explicitly check the certificate used in your app.This will make it harder for anyone to use a MITM proxy. But if the app is running on the device of the attacker, they can change the code and allow their own certificate.

answered Nov 27 '18 at 11:27

Josef

5,903
25
33

without any change in the code possible? – Pramod Tapaniya Nov 27 '18 at 11:31
It is not possible at all. – Josef Nov 27 '18 at 11:33
web request of some apps not showing in charles how that possible? – Pramod Tapaniya Nov 27 '18 at 11:41

Protect app from Http Proxy like Charles

1 Answers1