DEVHIDE
Login Or Sign up

SSLPinning is not working on android <= 23 with OKHTTTP

723 Views Asked by At

1-We are able to intercept request/response in the burp suite tool for API <=23. 2-When I pass incorrect sha-256 pin to certificate pinner then it throws exception com.android.volley.NoConnectionError: javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure! 3- when I pass the correct pin it works request gets success. 4- we are not set up static PIN sha256 in network security config. we are doing programmatically for all versions. Please check what I am missing.

Using 'com.squareup.okhttp3', name: 'okhttp', version: '3.11.0 and network security config is

<network-security-config>
    <base-config cleartextTrafficPermitted="true"/>
    <debug-overrides>
        <trust-anchors>
            <certificates src="user" />
        </trust-anchors>
    </debug-overrides>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">abc.com</domain>
    </domain-config>
</network-security-config>
**and ssl pinning android code**

public static HurlStack getOkHttpStack(Context context) {
        HurlStack stack = null;
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
                    TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
                throw new IllegalStateException("Unexpected default trust managers:"
                        + Arrays.toString(trustManagers));
            }
            X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
            CertificatePinner certPinner = buildCertificatePinner(context);
            stack = new OkHttpStack(trustManager, certPinner);
        } catch (Exception e) {
            e.printStackTrace();
        }

        if (stack == null) {
            stack = new HurlStack();
        }
        return stack;
    }
**CertificatePinner object creation**

 private static CertificatePinner buildCertificatePinner(Context context) {

        CertificatePinner pinner = null;
          // COde ---
        return pinner;
    }
**Okhttp client object creation**

public OkHttpStack(X509TrustManager trustManager, CertificatePinner certPinner) throws Exception {
      OkHttpClient.Builder builder = new OkHttpClient.Builder();
      if (trustManager != null) {
          TLSSocketFactory factory = new TLSSocketFactory(trustManager);
          builder.sslSocketFactory(factory, trustManager);
      }
      if(certPinner != null){
          builder.certificatePinner(certPinner);
      }
      mClient = builder.build();
  }
android security ssl okhttp public-key-pinning
Original Q&A
1

There are 1 best solutions below

3
On

Between API levels 15 and 22, it is necessary to force enable TLS 1.2. So, you have to to this when building your OkHttpClient.

            if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1) {
            SSLContext sc = SSLContext.getInstance("TLSv1.2");
            sc.init(null, null, null);
            okHttpClientBuilder.sslSocketFactory(new Tls12SocketFactory(sc.getSocketFactory()),
                    trustManager
            );
        }

Related Questions in ANDROID

Related Questions in SECURITY

Related Questions in SSL

Related Questions in OKHTTP

Related Questions in PUBLIC-KEY-PINNING

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.