Recently I have used the retrofit 2.3.0 networking library in my project. I have also implemented SSL pinning for securing the app, using the CertificatePinner class in the Okhttp and thus Retrotif.
However, after another team has run a comprehensive penetration test on our APK, they have been successful to tamper with the CertificatePinner class in the Okhttp client, resulting in gaining access to the plain messages that are being sent to the web services.
Since we have to exclude Retrofit and Okhttp classes from the proguard process, by writing their specific keep-rules, we conclude this was the main cause of their successful reverse engineering.
Anyway, the following questions have arised considering the situation :
1- Why in the first place, the retrofit and okhttp need proguard rules ?
2- What is the possible secure workaround for this problem ?
3- Do we need to replace the Retrofit with yet another library like Volley or AsyncHttpClient ?