Philosophically, can one 100% protect app against someone sniffing app's traffic (say via Charles) if OS allows to install custom CA?

This doesn't feel very Kotlin related 😄. But since you asked, you should be able to set up certificate pinning in your app's network security config.

Yes but I'm not sure what's the correct channel

But modifing your app makes the signature invalid.

hmm what signature?

The signature of your app

Use Android : Play Integrity API and iOS : DeviceCheck

but that's all client-side code, that can be simply removed from the app if the attacker is determined, no?

Nope, the client generates a token and the server validates it

okay so this has nothing to do with cert pinning

why do you want cert pinning?

well first comment mentioned cert pinning

sorry, why do you want to avoid traffic sniffing?

well to make it harder for the attack but yes my original question is that I believe this is not possible to make sure with 100% certainty -- and therefore such effort should be forfeited, as it'ß only security by obscurity

well to make it harder for the attack

so you want to avoid attacks on your internal API?

yes, that was consultant's first question - how is app secured against api sniffing and argued for cert pinning

cert pinning isn't a silver bullet, the app can be decompiled and the certificate retrieved note that the tools provided by Apple and Google aren't perfect either

that's my argument, that I can simply extract the APK from OS, remove the cert pinning configuration & rebuild the app via apktool or whatever, and then see traffic

I think this is possible yes, however I am no expert in mobile development 😄

well, it's all zip of bytecode at the edge anyways

Well, you still need to recreate the app signature to install it on the client devices. And an attacker should not have access to your developer private key.

however, once the certificate extracted, you can use it to make API calls without even using the original app

why would I need to recreate the signature? Isn't that only relevant when I want to distribute the "cracked" app? I can install the modified app on my device, no?

I think this doesn't matter much on rooted devices

meaning with root I can pass my cert into the system ones?

probably

yes .. but I read the settings are enabled by default when targetSdk is 7+ which is old news anyways (such app wont be allowed on play store since some time ago)

that's a good TLDR 😄

how would you mitigate?

well, everything we said above

would you still consider cert pinning?

I think it can help, like I said:

note that what you're trying to achieve here is to mitigate potential hackers to exploit your application, and this is part of the various mitigations helping you.

I'm aware, just asking if you'd bother

I wouldn't

since one can just add a new hash of his own cert, repackage the app back up and see

I would just assume that device owners have access to traffic to-and-from that device. And I don’t want to live in the world where that’s not true. (Yes, I know it’s not entirely true, but let’s not go there yet) If you are concerned with a user knowing how your app works, that’s kind of unrealistic. They could just reverse engineer your app to get the request/response logic. If you’re concerned with a user abusing your APIs, you need to have authentication in place, and monitoring for abuse.

Security is solid but I'm mostly concerned with phishing which is a hard problem to help and having api thats so easily sniffable doesnt help the cause