Okhttp - Certificate Pinning and Public Key Pinning

Question

I want to improve safety of my Android application. I am using OkHttp version 3.

How to:

1) use Certificate Pinning with OkHttp.

2) use Public Key Pinning with OkHttp.

When I am doing this:

httpClient.certificatePinner(new CertificatePinner.Builder()
            .add(BuildConfig.HOST_NAME, "sha256/VRtYBz1boKOAjChfZYssN1AeNZCjywl77l2RTl/v110=")
            .build());

certificate pinning working. But what with Public Key Pinning? How to enable it?

Answer 1

certificate pinning working. But what with Public Key Pinning? How to enable it?

Since Android API 24 you can do it for any Http stack via the res/xml/network_security_config.xml file as described in their docs:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">example.com</domain>
        <pin-set expiration="2018-01-01">
            <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
            <!-- backup pin -->
            <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin>
        </pin-set>
    </domain-config>
</network-security-config>

This approach is much more easy to implement then previous ones, but still prone to misconfiguration and typos, plus you need to know how to properly create the SHA-256 digest from the public key of the certificate you want to pin.

I recommend you to use the Mobile Certificate Pinning Generator to help you with your certificate pinning implementation. This free online tool will generate for you the SHA-256 digest for the given domains and provide a network_security_config.xml file ready to be copy pasted into your project.

For example, if in your mobile app project you wanted to hypothetically pin against the domain httpbin.org and example.com:

The warnings are there because no backup pin was provided and it is a best practice to always provide one by uploading a backup certificate file that is valid for the domain and that is not yet being used live.

Now you just need to copy paste the configuration to your project as stated in that same page:

Create the file ./main/res/xml/network_security_config.xml in your project.

Copy the above certificate pinning xml configuration and paste it into the file.

Open your AndroidManifest.xml file and add the following code snippet android:networkSecurityConfig="@xml/network_security_config" inside the application tag.

Rebuild your mobile app and double check you can still make requests to the APIs.

Or you can learn how to do it with the Pin Test App example repo:

This repo provides the basic steps for integrating certificate pinning into your mobile app with the use of this Approov free tool. This guide is written specifically for native Android apps from API 24 (Android 7.0) onwards that you wish to protect the API calls with certificate pinning.

To follow this guide you only need to have an Android development setup on your machine.

NOTE: Never pin against domains you don't control. For example, the ones used by your mobile app to connect with Third Party services. To pin against this domains you need to use a Reverse Proxy. You can learn more about in the article I wrote about Using a Reverse Proxy to Protect Third Party APIs:

In this article you will start by learning what Third Party APIs are, and why you shouldn’t access them directly from within your mobile app. Next you will learn what a Reverse Proxy is, followed by when and why you should use it to protect the access to the Third Party APIs used in your mobile app.