How can I prevent a man-in-the-middle (MITM) attack on my Android app API?
That app (and all MITM proxy apps such as SandroProxy and mitmproxy) work by installing their own trusted CA certificate on the device. That allows them to sign their own certificates which the device will accept.
You have to manually install their certificate to the user key-store using a dialogue such as this:
After which it displays warnings such as this:
It's unlikely (albeit not completely impossible) that a user would do this unintentionally, so overall it's a reasonably low threat.
Having said that, if you want to protect your App even if someone has installed a malicious CA certificate then you should implement certificate pinning.
If the device is rooted then it is conceivable that an attacker could install a malicious certificate, conceal it, and modify your Apps to compromise validation and prevent pinning. However, if something rogue has root access then essentially your entire device is compromised any way.
To give the good answer from thexacre a broader touch: If the application itself does the certificate checking correctly (not all do, see http://www.kb.cert.org/vuls/id/582497) then an MITM attack is only possible if the attacker is somehow trusted by the owner of the device. In case of an owner which is curious what the application does the attacker is the owner itself, but it might also be an external attacker which compromised the device (i.e. an unwanted trust relationship). Only with this trust it is possible to get the additional trusted CA installed which is needed to intercept the SSL connection.
And while certificate pinning or public key pinning might be used to get around the problem of SSL interception outside the application, a knowledgeable attacker might still be able to hook into the application and extract the unencrypted data directly from inside the application. In general it is not possible to prevent these kind of attacks as long as the software is running in an environment which is sufficiently controlled by the attacker. You might only try to make it harder with anti-debugging techniques which are often used by DRM solutions and malware.