Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate pinning #345

Open
ryanw-mobile opened this issue Oct 25, 2024 · 0 comments
Open

Certificate pinning #345

ryanw-mobile opened this issue Oct 25, 2024 · 0 comments
Labels
feature A new feature for the user, not a new feature for a build script.

Comments

@ryanw-mobile
Copy link
Owner

Can investigate how to make this work on Ktor (and GraphQL).

Certificate pinning is a security mechanism used to prevent man-in-the-middle (MITM) attacks by associating a host with their expected X.509 certificate or public key. When a client (like an Android app) connects to a server, it checks the server’s certificate against the pinned certificate or public key. If they don’t match, the connection is rejected.

Benefits of Certificate Pinning:

•	Increased Security: By limiting which certificates can be accepted, certificate pinning reduces the risk of compromised Certificate Authorities (CAs) being exploited.
•	Protection Against MITM Attacks: It ensures that the client is connecting to the legitimate server and not to an attacker.

How to Implement Certificate Pinning on Android

  1. Using OkHttp:

If you are using OkHttp as your networking library, you can easily implement certificate pinning.

Step 1: Add your certificates to the project:

•	Place your server’s certificate in the res/raw directory (e.g., res/raw/my_cert.cer).

Step 2: Create a Pinning Configuration:

import okhttp3.CertificatePinner
import okhttp3.OkHttpClient

val hostname = "your.api.com"
val pinning = CertificatePinner.Builder()
.add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") // Replace with your pinned SHA256 hash
.build()

val client = OkHttpClient.Builder()
.certificatePinner(pinning)
.build()

  1. Using Network Security Configuration (Android 7.0 and above):

Android provides a way to configure security settings for your app via an XML file.

Step 1: Create a Network Security Configuration file.

•	Create an XML file in the res/xml directory (e.g., network_security_config.xml):
your.api.com AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

Step 2: Reference the Configuration in your Manifest:

<application
...
android:networkSecurityConfig="@xml/network_security_config">
...

Summary:

1.	Certificate Pinning is an important security measure that helps ensure that your Android app connects only to trusted servers by validating the server’s certificate against pinned values.
2.	Implementation can be done via:
•	OkHttp for custom HTTP clients by specifying a CertificatePinner.
•	Network Security Configuration XML for a more declarative approach, especially useful in apps targeting Android 7.0 (API level 24) and above.
@ryanw-mobile ryanw-mobile added the feature A new feature for the user, not a new feature for a build script. label Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature A new feature for the user, not a new feature for a build script.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ryanw-mobile