0

I have a mobile app that queries various 3rd party API/sites (these are https links). I have a concern that SSL proxies (e.g. Charles) can be used to intercept the traffic - man in the middle.

Are there any instances that charles would not ables to read the traffic?

It seems crazy to me that something basic like SSL proxy can undermine a well used technology - TLS.

What are my options to mitigate against a SSL proxy decrypting the traffic and possibly seeing sensitive information?

Would Public key pinning be a possible mitigation ? Anything else?

Architect
  • 631
  • 1
  • 6
  • 9
  • Pinning is not a mitigation, it is just a way to not blindly fall to MITM. But if proxy itself cannot be avoided, then you don't have much options. – Crypt32 Jul 16 '19 at 13:01
  • @Crypt32 thanks for your response. Am i right in thinking that with pinning the mobile app would only connect to the legit web server and bypass the proxy? would this mean traffic cannot be intercepted by the proxy? – Architect Jul 16 '19 at 13:09
  • Nope. With pinning, app will receive and reject the certificate from proxy. Depending on a proxy configuration (if it is HTTPS Inspection), client will be unable to connect to legit server, because it will never receive legit certificate (specified in pin). – Crypt32 Jul 16 '19 at 13:12
  • @Crypt32 what would prevent the mobile app never receiving the certificate from the legit server? – Architect Jul 16 '19 at 13:21
  • Proxy server. When you connect to remote server (legit), your HTTPS connection will be split in two parts: clien-proxy and proxy-server. Legit certificate will terminate on proxy. Proxy will present to you only its autogenerated certificate. – Crypt32 Jul 16 '19 at 13:24
  • @Crypt32 that's a very good point. Is this also the case for public key pinning as oppose to certificate pinning? – Architect Jul 16 '19 at 13:38
  • Doesn't much matter in your scenario. Pinning will allow to inform the app that someone is in the middle and will close connection to the server. – Crypt32 Jul 16 '19 at 13:40
  • @Crypt32 When the mobile app connects to a 3rd party a session token/key is generated. Would having a session (between mobile app and 3rd party) disallow manipulation of requests thought the proxy? – Architect Jul 16 '19 at 14:35
  • You don't understand how HTTPS inspection works. Session initiation is sent in plaintext. Proxy intercepts it and responds to you with its own certificate and you have session key only with proxy server. Proxy then establishes another session with legit server (on behalf of you). Proxy decrypts and reencrypts all data you exchange with legit server and can read the data unecrypted. – Crypt32 Jul 16 '19 at 15:36

0 Answers0