Android: prevent sniffing (e.g. with CharlesProxy) of SSL traffic

Question

I use Charles to check what data is send throw my app to HTTPS. I installed the Charles CA cert on my phone and because of that, I\'m able to decrypt every SSL traffic.

Answer 1

...I installed the Charles CA cert on my phone and because of that, I'm able to decrypt every SSL traffic.

But I found apps, where I'm not possible to see the SSL traffic. How can I implement this behavior into my own app? With this, no man in the middle attack would be possible.

This can be done with certificate/public key pinning, where you don't check the servers certificate against the local root certificates, but instead make sure that you only get the expected certificate. See OWASP for details and code samples.