TLS connection – Detecting data breach / manipulation [duplicate]


This question already has an answer here:

  • Protect SSL connections from MITM for users with modified clients 2 answers
  • How can I prevent a man-in-the-middle (MITM) attack on my Android app API? 2 answers

I need some help in creating a secure connection using TLS.

I have a downloadable software that connects to our server using TLS connection. We want to ensure that the data sent by client to the server is secure and cannot be seen or manipulated by the user of our software.

I have bundled our CA certificate with the software so that it can verify the host and man-in-the-middle attack. CA certificate is self-signed certificate generated by openssl.

+---------------------+                      +----------------+ |                     |                      |                | |                     |      TLS connection  |                | |  Client Software    +                      |                | |  + Our CA certificate +------------------->+  Server        | |                     +                      |                | |                     |                      |                | +---------------------+                      +----------------+ 

However, what happens if a user who downloaded the software spoofs the DNS/ARP poisoning, replaces CA certificate with the fake one and creates man-in-the-middle situation to manipulate/view the traffic. In this case, the CA validation will pass and client software will not be able to detect any abnormal behaviour.

+----------+------+           +------+-----------+          +-----------------+ |   Client +      |           | MITM +           |          |  Server         | |   Fake CA cert  |  TLS      | our CA cert      |    TLS   |                 | |                 +---------->+                  +--------->+                 | |                 |           |                  |          |                 | +-----------------+           +------------------+          +-----------------+ 

So possibly using CA certificate is not of much help here.

Any suggestions on how to ensure that the client software make a secure connection with server which can not be compromised by situation like one described above.