安卓:prevent嗅探(例如与CharlesProxy)SSL流量 [英] Android: prevent sniffing (e.g. with CharlesProxy) of SSL traffic
问题描述
我用查尔斯检查哪些数据发送扔我的应用程序到HTTPS。我安装我的手机上的查尔斯CA证书正因为如此,我能够每解密SSL流量。
但我发现应用程序,在这里我不可能看到的SSL流量。我怎样才能实现这一行为到我自己的应用程序吗?这一点,在中路进攻没有人将成为可能。
...我安装我的手机上的查尔斯CA证书正因为如此,我能够每解密SSL流量。
但我发现应用程序,在这里我不可能看到的SSL流量。我怎样才能实现这一行为到我自己的应用程序吗?这一点,在中路进攻没有人将成为可能。
这可以通过证书/公钥钉扎,在那里你不检查针对本地根证书的服务器证书,而是要确保你只得到预期的证书来完成。请参见 OWASP 详情及code样品。
I use Charles to check what data is send throw my app to HTTPS. I installed the Charles CA cert on my phone and because of that, I'm able to decrypt every SSL traffic.
But I found apps, where I'm not possible to see the SSL traffic. How can I implement this behavior into my own app? With this, no man in the middle attack would be possible.
解决方案...I installed the Charles CA cert on my phone and because of that, I'm able to decrypt every SSL traffic.
But I found apps, where I'm not possible to see the SSL traffic. How can I implement this behavior into my own app? With this, no man in the middle attack would be possible.
This can be done with certificate/public key pinning, where you don't check the servers certificate against the local root certificates, but instead make sure that you only get the expected certificate. See OWASP for details and code samples.
这篇关于安卓:prevent嗅探(例如与CharlesProxy)SSL流量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
