在 Android 开发中，通过 OkHttp 自定义 SSLSocketFactory 和 X509TrustManager 可以有效增强 HTTPS 通信的安全性，防止中间人攻击（如抓包工具 Charles/Fiddler 的拦截）。以下是实现防抓包的关键技术方案：

一、Okhttp设置固定证书（推荐）

OkHttp 内置了证书固定功能，无需自定义 SSLSocketFactory，直接配置即可

         val certificatePinner = CertificatePinner.Builder().add("example.com:443", "sha256/+o+LjQ5sWk3ABG4Gl7yZib6xTZ6F7OQ09qW7P9G+Z/Y=").build()httpClient.certificatePinner(certificatePinner)

1、example.com: OpenSSL 要连接的 HTTPS 服务域名，你需要替换为实际的目标域名

2、443: 是 HTTPS 协议的默认端口号，若服务器 HTTPS 端口自己设置的，则需要修改

3、sha256/******: OpenSSL 获取到的证书

1、获取证书（服务器证书的公钥 SHA256 哈希值）

 在终端运行以下命令获取证书

openssl s_client -connect example.com:443 | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

1. 连接到服务器：openssl s_client -connect example.com:443 建立与目标服务器的 SSL 连接。注意⚠️：example.com:443 替换为你实际要连接的服务器地址和端口

2. 提取证书：openssl x509 -pubkey 从连接中提取证书的公钥部分。

3. 转换格式：openssl pkey -pubin -outform der 将公钥转换为 DER 格式（二进制）。

4. 计算哈希：openssl dgst -sha256 -binary 计算 DER 格式公钥的 SHA256 哈希。

5. Base64 编码：openssl enc -base64 将二进制哈希值转换为 Base64 字符串。

二、自定义 SSLSocketFactory + X509TrustManager

          如果需要更细粒度的控制（如仅信任特定证书）

1. 创建自定义 TrustManager

class CustomTrustManager : X509TrustManager {private val trustedCertificates by lazy { loadTrustedCertificates() }private fun loadTrustedCertificates(): List<X509Certificate> {// 从 assets 或 raw 目录加载证书（如 .crt 或 .pem 文件）val inputStream = context.assets.open("certificate.crt")val certificateFactory = CertificateFactory.getInstance("X.509")return certificateFactory.generateCertificate(inputStream) as X509Certificate}override fun checkClientTrusted(chain: Array<X509Certificate>, authType: String) {// 客户端证书验证throw CertificateException("Client certificates not supported!")}override fun checkServerTrusted(chain: Array<X509Certificate>, authType: String) {// 验证服务器证书链是否与预置证书匹配if (!trustedCertificates.contains(chain[0])) {throw CertificateException("Untrusted server certificate!")}}override fun getAcceptedIssuers(): Array<X509Certificate> = arrayOf()
}

    2. 创建自定义 SSLSocketFactory   

class CustomSSLSocketFactory(private val trustManager: X509TrustManager) : SSLSocketFactory() {private val sslContext by lazy {SSLContext.getInstance("TLS").apply {init(null, arrayOf(trustManager), SecureRandom())}}override fun createSocket(s: Socket, host: String, port: Int, autoClose: Boolean): Socket {return sslContext.socketFactory.createSocket(s, host, port, autoClose)}// 其他重写方法（直接委托给 sslContext.socketFactory）override fun getDefaultCipherSuites(): Array<String> {sslContext.socketFactory.defaultCipherSuites}override fun getSupportedCipherSuites(): Array<String> {sslContext.socketFactory.supportedCipherSuites}override fun createSocket(host: String, port: Int): Socket {sslContext.socketFactory.createSocket(host, port)}override fun createSocket(host: String, port: Int, localHost: InetAddress, localPort: Int): Socket {sslContext.socketFactory.createSocket(host, port, localHost, localPort)}override fun createSocket(address: InetAddress, port: Int): Socket {sslContext.socketFactory.createSocket(address, port)}override fun createSocket(address: InetAddress, port: Int, localAddress: InetAddress, localPort: Int): Socket {sslContext.socketFactory.createSocket(address, port, localAddress, localPort)}}

3. 配置 OkHttpClient

 val trustManager = CustomTrustManager()val sslSocketFactory = CustomSSLSocketFactory(trustManager)val okHttpClient =OkHttpClient.Builder().sslSocketFactory(sslSocketFactory, trustManager).hostnameVerifier { hostname, session ->HttpsURLConnection.getDefaultHostnameVerifier().verify(hostname, session)}.build()