how to increase security while using ssl in android volley

Question

I am searching for 2 days for my problem and i had no luck in finding it.

my problem :

I have comodo ssl/tls certificate installed on my server, and I am using android volley library for connecting to server, until now i was using just "https://..." for my url and connecting via https connection to my server with no problem. but i recently installed "packet capture" android application on my phone, by default settings and a phone which is not rooted it cannot retrieve post/response information from my app to the server, but when you use a rooted phone, the packet capture app asks you to install a custom certificate on the phone so it can retrieve even ssl/tls connection, At first I though it's joking, but after installing the certificate it shows the whole information used in ssl connection to my server... I am so worried about the security of my app, which a hacker can use that capturing app to know what to send to my server and sets his coin number for example to 100000 :(

please show me a way to make my app's connection more secured . * I do'nt have a custom certificate installed on the app because the server certificate is trusted and working ok with the default use.

sorry for my poor English typing :)

Edit : thanks to @Ch4t4r for the idea... I did searched and find this for pinning the public key and it's so great, here is the github link : https://github.com/faruktoptas/volley-public-key-pinning

hope it helps others having the same problem

Answer 1

The way that app works is as follows (summarized):

1. Your app tries to establish a connection to your server
2. The app captures the request and forwards it
3. The app captures the answer from the server and replaces its certificate

It's a classic man-in-the-middle attack which works because the certificate of the app you are using is trusted. You cannot prevent rooted users from breaking your encryption.

The only thing you could do is security by obscurity. Try encoding your values (complementary values, or by encrypting them with a key stored in your app) or sending a hash of the entire request. This will lock most people out (the non-technical ones), but there is no absolute way of stopping users from cheating this way. What you could do as well is using one-time tokens (kind of how salts work) to encode your important values. Obfuscating your source code would help as well. But again, there is no absolute way, this is only laying stones in the way of users which might even be able to cheat. It significantly increases the time needed to figure out how to do so.

I wouldn't waste to much time on it, here's why:

• About 20-25% of Android devices are rooted (according to some older data. I suppose it's actually less)
• Some rooted devices are test or store devices (Kiosk mode); let that be 15% of all rooted devices
• If 50% of the other rooted users know about the app (it won't be that high), we are down to 8.5% of all Android users
• Using the security by obscurity principle only very tech-savvy users will be able to figure how to cheat. If that'd be true for 20% (again, that's a very high number) of all users which fit into the above we are at 1.7% of all Android users.
• Considering that not all of those users might use your app, some might just not care, I would put the percentage of users which have the ability to cheat AND use your app to 0.5% at max.

A more drastic method would be blocking all rooted users.
Edit: As another answer suggests you could be using public-key pinning. Just remember that not all users tend to update as soon as you publish a new version effectively rendering your app useless if they don't. Thus it comes with a small risk.

Answer 2

There is a java library on github that has some examples.

https://github.com/Flowdalic/java-pinning/blob/master/README.md

Answer 3

I am not sure what programming language your app is written in but you can look into certificate pinning to prevent these attacks. Your code would check the SSL certificate prior to sending any request and if the values don't match you can have your app fail with an error message.

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning