stackoom
  简体   繁体   中英

Certificate Pinning in OkHttp vs Android Network Security Config

 原文  2020-12-08 04:05:29       android/ okhttp

Question

I'm trying out certificate pinning in my app, and I see that I can do it using OkHttp directly , or throughAndroid Network Security Config .

Two practical differences I can think of are:

  1. OkHttp method is supported below Android 7
  2. Android Network Security Config method applies even when not using OkHttp

Are there any others?

2 answers

solution1
 0  2020-12-08 07:42:01

With Android Network Security Config support "it is possible to set an expiration time for pins after which pinning is not performed". But ultimately as OkHttp is a programmatic API you can configure it any way that you want.

But a reminder to discuss and plan with your security team how you apply pinning, so you pin against a certificate policy they follow. You don't want to lock users out if the the security team need to re-issue certificates or change providers or switch to a backup.

solution2
 0  2021-10-14 09:57:47

The Programmatically Approach

OkHttp method is supported below Android 7

Yes it his but programming yourself a such important piece of security software is not an easy task and you can easily shoot yourself on the foot, even when you are well versed in security and certificate pinning.

If you really need to support certificate pinning below Android API 24 then I would recommend you to use TrustKit :

TrustKit Android is an open source library that makes it easy to deploy SSL public key pinning and reporting in any Android App.

The Configuration Approach

Android Network Security Config method applies even when not using OkHttp

This is one of its main advantages alongside the fact that is not prone to programmatic errors, only configuration errors, like not correctly extract the public key pin for the domain being pinned and/or having typos on it.

Fortunately we have now an online free tool to help us prevent such errors. The Mobile Certificate Pinning Generator will give us a ready to use network_security_config.xml file for the domain(s) we want to pin in our mobile app.

For example:

配置选项卡

网络安全配置文件

Now you just need to copy paste the file into your project and the tool even as a step by step tutorial to show us how to do it correctly.

You can also use the tool to get the pins to use in TrustKit:)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Certificate pinning not working with OkHttp on Android Certificate Pinning for android using OKHTTP Android - Certificate Pinning with Retrofit 2.3 and OkHTTP OkHttp with Certificate Pinning Certificate pinning with okHttp Handle site certificate expiry with OkHttp Certificate pinning on Android OkHttp for Android: Option to NOT enforce Certificate/ public key pinning OkHttp PublicKey pinning on Android Android-Certificate pinning vs public key pinning OkHttp Certificate pinning Error or default behavior?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM