Search code examples
iosssl-certificatecharles-proxysslpinning

stop Charles from tracking my app's requests without SSL Pinning in iOS


When I setup Charles for debugging, I can see all the traffic which is a good part. But Charles is showing all the traffic for my released production app which is not good at all.

Is there any way, I can stop Charles to capture all the traffic for my production app without SSL Pinning?

Please help me out.

Thanks in advance!


Solution

  • No - there's no way to do this, and actually even SSL pinning cannot guarantee this.

    More generally: it is impossible to keep the details of what your application is doing on a user's device completely secret from the user, if they're sufficiently determined & knowledgeable. You can make it more difficult, but it's a cat and mouse game that you will never 'win'. At the end of the day, the user controls the device, not you.

    In the simple case, they can just install their own certificate authority and then intercept traffic on the local network or similar. You can't defeat this without certificate pinning, and certificate pinning to block this will make your app unusable on many enterprise networks that require this kind of network scanning for all traffic.

    In the more advanced case, they can use a jailbroken device, and then they can modify your app directly (either with Frida, or extracting the built app and modifying it themselves) so they can just disable any protections you add.

    An app trying to defeat a user who fully controls the device is not possible, and not a good idea. Instead, you should ensure you don't have any critical secrets stored inside your app's source code or visible in the traffic, you should assume all traffic you send is visible to your users, and you should configure your server to not trust incoming app traffic by default.

    If you use proper security mechanisms on the server, it shouldn't be a problem if users can see the traffic from their own devices. This is the same model that web pages have always worked with: they run in a browser (an untrusted environment where the user can see everything) but send traffic to a server, who authenticates requests.