Certificate Pinning:
To
summarize, pinning a certificate means that your app is verifying that the site
the app is communicating with is the actual site by comparing the certificate
presented by the site to one bundled in the app. This prevents a man-in-the-middle attack on your app.
SSL pinning
isn’t something you want to implement in all your applications, but it makes
sense when developing high-risk apps that need strong protection
HOW DOES THIS WORK ON
ANDROID ?
- obtain a certificate for the desired host (preferably the whole certificate chain)
- make sure the certificate is in .bks format - this step is crucial in order for pinning to work properly across all devices
- use Apache HTTP client shipped with Android - initialize it to use the obtained .bks keystore for SSL connections
Risks Involved
There is a
downside to pinning a certificate. If the site rotates its certificate on a regular basis,
then your application would need to be updated regularly. For example, Google
rotates its certificates, so you will need to update your application about
once a month (if it depended on Google services).
Example of a Failure
Scenario
1. App
has pinned certificate(s) to some domain name.2. Certificates get updated on the server side.
3. Version of the app that pinned to old certificate(s) and doesn't know about new certificate(s) won't allow connection.
Links
Challenges
https://nelenkov.blogspot.in/2012/12/certificate-pinning-in-android-42.html read this when free
https://dev.to/drankolq/certificate-pinning-your-android-and-ios-apps
No comments:
Post a Comment