How to block untrusted certificates?

Question

I have SSL connection. If I use feddler or Charles app, and I can to see decrypted SSL data. How I can to prevent this bug?

Update: I was NOT imported the certificate for Charles, my android device is rooted and I use Proxy Droid app and allowed untrusted apps. After this manipulations I can to see decrypted data. I want to block this bug...

Update2: I use the class EasyX509TrustManager.java (apache) for checking the certificate. You can see void checkServerTrusted. If I use "certificates[0].checkValidity();" - certificate ALWAYS valid, but if I use "standardTrustManager.checkServerTrusted( certificates, authType );" - the certificate can be valid (charles turned off) or invalid (with charles). without "certificates[0].checkValidity();" it works fine, but I'm not sure if that is right.

Answer 1

If you haven't imported Charles' or Fiddler's certificate and you're still seeing the traffic from your device, that means that you're not using HTTPS properly. You need to configure your code so that it performs proper chain-checking on the certificate used to secure the HTTPS connection. In most language/framework stacks, this happens automatically and you have to go out of the way to override it.

What language/framework are you using, and what object are you using to send the request?

If you have imported the debugger's certificate to the device, then by default most language/frameworks will deem it to be trusted. To prevent that, your code most manually evaluate the certificate chain from the server before allowing communication to proceed. This technique is called "Certificate pinning."