Is there any ways how to prevent SSL Pinning Bypass by using OkHttp3?

Question

There are so many articles about circumventing SSL Pinning in Android by using CertificatePinner class in OkHttp3.

https://medium.com/@hojat.sajadinia/bypass-okhttp-certificatepinner-on-android-9a45ad80a58b

https://blog.nviso.eu/2019/04/02/circumventing-ssl-pinning-in-obfuscated-apps-with-okhttp/?fbclid=IwAR3QRvecJl6rlmpN_fpbBGgY2Bvrax3eo-Y7qOf7StYW7_aGsuaIdrr_pQs

https://joncooperworks.medium.com/disabling-okhttps-ssl-pinning-on-android-bd116aa74e05

So my question is, what i should do in preventing bypass SSLPinning by using OkHttp.CertificatePinner ?

What i tried is to obfuscate OkHttp in my project. The OkHttp3 class not found when we reverse the APK file by using ApkTools, but when i use jadx to reverse the APK file, the OkHttp3 doesn't get obfuscated in dex file.

Answer 1

Finally i had to override mapping.txt manually since proguard rules doesn't works on OkHttp3. Hopefully after i overrode the class name, method name and object name of OkHttp3 would able to prevent man-in-the-middle attackers to bypass certificate pinning by using Okhttp3.CertificatePinner.java

Answer 2

You can probably investigate device attestation to confirm the right app binary is running on a non rooted mobile. https://developer.android.com/training/safetynet/attestation

The SafetyNet Attestation API is an anti-abuse API that allows app developers to assess the Android device their app is running on. The API should be used as a part of your abuse detection system to help determine whether your servers are interacting with your genuine app running on a genuine Android device.

But I'm not qualified to provide expert advice on this topic.