I want to improve safety of my Android application. I am using OkHttp version 3.
How to:
1) use Certificate Pinning with OkHttp.
2) use Public Key Pinning with OkHttp.
When I am doing this:
httpClient.certificatePinner(new CertificatePinner.Builder()
.add(BuildConfig.HOST_NAME, "sha256/VRtYBz1boKOAjChfZYssN1AeNZCjywl77l2RTl/v110=")
.build());
certificate pinning working. But what with Public Key Pinning? How to enable it?
Since Android API 24 you can do it for any Http stack via the
res/xml/network_security_config.xml
file as described in their docs:This approach is much more easy to implement then previous ones, but still prone to misconfiguration and typos, plus you need to know how to properly create the SHA-256 digest from the public key of the certificate you want to pin.
I recommend you to use the Mobile Certificate Pinning Generator to help you with your certificate pinning implementation. This free online tool will generate for you the SHA-256 digest for the given domains and provide a
network_security_config.xml
file ready to be copy pasted into your project.For example, if in your mobile app project you wanted to hypothetically pin against the domain
httpbin.org
andexample.com
:The warnings are there because no backup pin was provided and it is a best practice to always provide one by uploading a backup certificate file that is valid for the domain and that is not yet being used live.
Now you just need to copy paste the configuration to your project as stated in that same page:
Or you can learn how to do it with the Pin Test App example repo:
NOTE: Never pin against domains you don't control. For example, the ones used by your mobile app to connect with Third Party services. To pin against this domains you need to use a Reverse Proxy. You can learn more about in the article I wrote about Using a Reverse Proxy to Protect Third Party APIs: