How can I secure request headers from being exposed using Proxyman? I can easily get an access to api tokens and any credentials that my app sends to my back-end. I'd like to know is there any way to secure headers/body so no one can get access to it?
Fundamentally, HTTP requests are secured through the use of TLS (https), preventing intermediates from reading the contents, including the headers. In the case of Proxyman, you've side stepped that security by installing a new system TLS certificate and trusting it, allowing the system to consider the connection secure even when it's not connected to the original server. This is expected, as it's usually rather difficult to get systems to trust new certificates maliciously and Apple has made manually trusting new certificates more obfuscated over the years, helping users avoid trusting a new one accidentally. So this isn't usually something to worry about.
That said, one way to avoid this is to use certificate pinning, which Alamofire supports, and which Apple supports natively on iOS 15 and later (Identity Pinning: How to configure server certificates for your app - Discover - Apple Developer). However, pinning isn't very popular due to the deployment issues it creates (you must update your app whenever new certificates are generated, hopefully with enough lead time for app review approval before the new cert is required) and the fact that it breaks debugging tools like Proxyman. If you do go this route, I'd suggest disabling it for debug builds (easy using Alamofire, not sure how to do it with Apple's way) so that you can still use the debug networking tools yourself.
But like I said, this isn't something you usually need to worry about.
To add to what Jon said, the short answer to "How can I secure request headers from being exposed" is: You can not.
The longer version is this:
Even if you employ certificate pinning (bringing along the caveats mentioned), a motivated attacker can most likely still gain access by modifying the app binary (on a jailbroken device if required) to disable pinning. They can also get the information straight from the app, either from the bundle/binary itself or by analyzing it at runtime using debugging tools.
Obfuscation can help a bit with this, but it just makes things harder/more annoying. It can't really deter a determined attacker.
This applies not only to request headers/content but more generally: Anything the app knows about or does, an attacker can gain access to.
The usual method to cope with this is to not let your app access any third-party API directly where leaking tokens would pose a problem. Instead, have your app talk to a server you control, with its own set of API tokens, where you can then employ rate-limiting or anything else you might need to do to prevent abuse.
2 Likes