1-We are able to intercept request/response in the burp suite tool for API <=23. 2-When I pass incorrect sha-256 pin to certificate pinner then it throws exception com.android.volley.NoConnectionError: javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure! 3- when I pass the correct pin it works request gets success. 4- we are not set up static PIN sha256 in network security config. we are doing programmatically for all versions. Please check what I am missing.
Using 'com.squareup.okhttp3', name: 'okhttp', version: '3.11.0 and network security config is
<network-security-config>
<base-config cleartextTrafficPermitted="true"/>
<debug-overrides>
<trust-anchors>
<certificates src="user" />
</trust-anchors>
</debug-overrides>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">abc.com</domain>
</domain-config>
</network-security-config>
**and ssl pinning android code**
public static HurlStack getOkHttpStack(Context context) {
HurlStack stack = null;
try {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
CertificatePinner certPinner = buildCertificatePinner(context);
stack = new OkHttpStack(trustManager, certPinner);
} catch (Exception e) {
e.printStackTrace();
}
if (stack == null) {
stack = new HurlStack();
}
return stack;
}
**CertificatePinner object creation**
private static CertificatePinner buildCertificatePinner(Context context) {
CertificatePinner pinner = null;
// COde ---
return pinner;
}
**Okhttp client object creation**
public OkHttpStack(X509TrustManager trustManager, CertificatePinner certPinner) throws Exception {
OkHttpClient.Builder builder = new OkHttpClient.Builder();
if (trustManager != null) {
TLSSocketFactory factory = new TLSSocketFactory(trustManager);
builder.sslSocketFactory(factory, trustManager);
}
if(certPinner != null){
builder.certificatePinner(certPinner);
}
mClient = builder.build();
}
Between API levels 15 and 22, it is necessary to force enable TLS 1.2. So, you have to to this when building your OkHttpClient.