Android: HttpsUrlConnection and Pinset Example

Question

I was watching Google I/O 2012's Security and Privacy in Android Apps. At around 37:55, Kenny Root talks about certificate pinning and tells us to visit the docs for HttpsUrlConnection to see how to use a pinset.

Unfortunately my Google-fu is off again, and I can't seem to locate the example (locally or on the web). Searching for "httpsurlconnection pinset example" returned 0 hits. Would anyone happen to have a link or example of using HttpsUrlConnection with a pinset?

For those who do not pin, pinning is a whitelist of expected server certifcates (possibly thumbprints). It remediates a lot of infrastructure issues created by carriers, telcos, handset OEMs, CAs, subordinate CA certifcates (including proxies), ISPs, and DNS providers.

Jeff

score 1 · Accepted Answer · answered Jul 05 '12 at 13:41

1

Visit the Android documentation on HttpsURLConnection and read the section entitled "Providing an application specific X509TrustManager" for the sample code.

Note you'll have to make a Keystore file containing your certificates. You can do this with the "keytool" command that ships with the JDK:

keytool -import -trustcacerts -alias myca -file myca.crt -keystore myca.jks

answered Jul 05 '12 at 13:41

kroot

1,962
1
12
10

where is "Providing an application specific X509TrustManager" sample code?? – Ritesh Bhavsar Jul 19 '17 at 13:14

Android: HttpsUrlConnection and Pinset Example

1 Answers1