Android prevent man-in-the middle attack for SSL

Question

I'm using HTTPS in my Android app to communicate with my own API. When I packet sniff, I don't see any information which is good. However, when I use software like Fiddler2 to install a trusted certificate on my Android, I can see all my HTTPS calls in the clear which is dangerous.

The problem is so close to this guy but in Android not iPhone: hiding iOS HTTPS calls from fiddler

I am using loopj library to make my https calls: Android Asynchronous Http Client http://loopj.com/android-async-http/

How can I deal with such a vulnerability ?? ( I know how to deal with it conceptually but I need example code )

Answer 1

When the user chooses to install Fiddler2's certificate as a trusted root certificate, he is then choosing to compromise his own security. I'm not sure there's much you can do about it, since your application's HTTPS connexion will go through Android's certificate validation system, which will consider the connexion as valid, since the certificated is trusted.

The solution I would go for is embedding your SSL certificate in your application, and tell your application it is the only trusted certificate. It's secure and free, as you can attach a self-signed certificate you created yourself, since you control the verification mechanism. See this blog article for code example.