What is SSL ?<\/p>\n\n\n\n
SSL stands for Secure Socket Layer. It is a protocol for establishing secure data transfer between networked computers or servers.<\/p>\n\n\n\n
Need For SSL-<\/p>\n\n\n\n
Many developers assume that using HTTPS in a network layer is enough to be sure that user data transfer will be fully secured and not compromised by a Man-in-the-Middle (MitM) attack. In most cases that is true, but not always.<\/p>\n\n\n\n
This is why to secure information passed by a browser, like a customer’s credit card number or password to a web server, most of the applications like an online store or online banking application uses SSL to prevent Man-in-the-Middle.<\/p>\n\n\n\n
Android SSL Pinning–<\/p>\n\n\n\n
There multiple ways we can perform SSL pinning in android <\/p>\n\n\n\n
1- Certificate pinning<\/p>\n\n\n\n
2-Public key pinning <\/p>\n\n\n\n
3- SPKI (SubjectPublicKeyInfo) pinning <\/p>\n\n\n\n
Here we will focus our attention on Public key pinning as it is the most recommended way for safe SSL pinning operations.<\/p>\n\n\n\n
To implement the pinning you need to know your certificates SPKI data.<\/p>\n\n\n\n
we can retrieve it using OpenSSL.<\/p>\n\n\n\n
Pinning on Android N(API 24) and above-:<\/p>\n\n\n\n
If minimum SDK is Android N then the implementation is very simple as Android has a new API in Android SDK from API 24 onwards the Network Security Configuration.<\/p>\n\n\n\n
you just need to enter an XML configuration file that defines the pins you require in our AndroidManifest.xml file.<\/p>\n\n\n\n
<?xml version=”1.0″ encoding=”utf-8″?><\/em><\/p>\n\n\n\n <network-security-config><\/em><\/p>\n\n\n\n <domain-config><\/em><\/p>\n\n\n\n <domain includeSubdomains=”true”>xyz.com<\/domain><\/em><\/p>\n\n\n\n <pin-set><\/em><\/p>\n\n\n\n <pin digest=”SHA-256″>6jj6tz+scE+XW+mlai6ZipDfFWn1dqvfLG+nU7tq1V8=<\/pin><\/em><\/p>\n\n\n\n <pin digest=”SHA-256″>LLh6dUR9y6Kka30RrAn7fKbQG\/uEtLMkBgFF2Fuihg=<\/pin><\/em><\/p>\n\n\n\n <\/pin-set><\/em><\/p>\n\n\n\n <\/domain-config><\/em><\/p>\n\n\n\n <\/network-security-config><\/em><\/p>\n\n\n\n Declaration of Configuration file in AndroidManifest.xml:-<\/p>\n\n\n\n <?xml version=”1.0″ encoding=”utf-8″?><\/em><\/p>\n\n\n\n <manifest xmlns:android=”http:\/\/schemas.android.com\/apk\/res\/android”<\/em><\/p>\n\n\n\n xmlns:tools=”http:\/\/schemas.android.com\/tools”<\/em><\/p>\n\n\n\n ………………<\/p>\n\n\n\n ……………. <\/p>\n\n\n\n <application<\/em><\/p>\n\n\n\n android:name=”.application.XYZApplication”<\/em><\/p>\n\n\n\n android:allowBackup=”false”<\/em><\/p>\n\n\n\n android:icon=”@mipmap\/app_launcher”<\/em><\/p>\n\n\n\n android:label=”@string\/app_name”<\/em><\/p>\n\n\n\n android:supportsRtl=”true”<\/em><\/p>\n\n\n\n android:theme=”@style\/AppTheme” <\/em> <\/p>\n\n\n\n android:networkSecurityConfig=”@xml\/network_security_config”<\/em><\/p>\n\n\n\n tools:replace=”android:allowBackup,android:icon”><\/em><\/p>\n\n\n\n <\/application><\/em><\/p>\n\n\n\n <\/manifest><\/em><\/p>\n\n\n\n if you want to use network libraries for pinning we can do the following <\/p>\n\n\n\n Pinning with Retrofit-<\/p>\n\n\n\n Pining with Retrofit is easy being built on top of OkHttp.<\/p>\n\n\n\n CertificatePinner certPinner = new CertificatePinner.Builder()<\/em><\/p>\n\n\n\n .add(“xyz.com”,<\/em><\/p>\n\n\n\n “sha256\/8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP\/UXPtaY8=”)<\/em><\/p>\n\n\n\n .build();<\/em><\/p>\n\n\n\n <\/p>\n\n\n\n OkHttpClient okHttpClient = new OkHttpClient.Builder()<\/em><\/p>\n\n\n\n .certificatePinner(certPinner)<\/em><\/p>\n\n\n\n .build();<\/em><\/p>\n\n\n\n <\/p>\n\n\n\n Retrofit retrofit = new Retrofit.Builder()<\/em><\/p>\n\n\n\n .baseUrl(“https:\/\/xyz.com”)<\/em><\/p>\n\n\n\n .addConverterFactory(GsonConverterFactory.create())<\/em><\/p>\n\n\n\n .client(okHttpClient)<\/em><\/p>\n\n\n\n .build();<\/em><\/p>\n\n\n\n Pinning with HttpUrlConnection-<\/p>\n\n\n\n if you are still using HttpURlconnection consider upgrading it to some other network libraries.<\/p>\n\n\n\n What is SSL ? SSL stands for Secure Socket Layer. It is a protocol for establishing secure data transfer between networked computers or servers. Need For SSL- Many developers assume that using HTTPS in a network layer is enough to be sure that user data transfer will be fully secured and not compromised by a Man-in-the-Middle […]<\/p>\n","protected":false},"author":1,"featured_media":6094,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[71,6,102,258],"tags":[],"class_list":["post-6092","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobile","category-mobile-web-app","category-web-service","category-web-technology"],"yoast_head":"\n<\/pre>\n\n\n
import java.io.BufferedReader;\nimport java.io.IOException;\nimport java.io.InputStream;\nimport java.io.InputStreamReader;\nimport java.io.OutputStreamWriter;\nimport java.net.HttpURLConnection;\nimport java.net.MalformedURLException;\nimport java.net.URL;\nimport java.security.KeyStore;\nimport java.security.KeyStoreException;\nimport java.security.MessageDigest;\nimport java.security.NoSuchAlgorithmException;\nimport java.security.cert.Certificate;\nimport java.security.cert.CertificateException;\nimport java.security.cert.X509Certificate;\nimport java.util.Arrays;\nimport java.util.List;\nimport java.util.Locale;\nimport javax.net.ssl.HttpsURLConnection;\nimport javax.net.ssl.SSLException;\nimport javax.net.ssl.SSLPeerUnverifiedException;\nimport javax.net.ssl.TrustManager;\nimport javax.net.ssl.TrustManagerFactory;\nimport javax.net.ssl.X509TrustManager;\n\n\npublic class WebServiceManager {\n\n private static String TAG = \"WebServiceManager\";\n\n\n \n\n \n private static String requestHttpsServer(String targetUrl, String jsonRequestString, int httpMethod, int readTimeOutType) throws IELTSException {\n String jsonResponseString = null;\n HttpsURLConnection httpsUrlConnection = null;\n URL url;\n try {\n url = new URL(AppConstants.BASE_URL + targetUrl);\n\n\n httpsUrlConnection = (HttpsURLConnection) url.openConnection();\n\n httpsUrlConnection.setConnectTimeout(AppConstants.TIME_CONNECTION_TIMEOUT);\n if (readTimeOutType == AppConstants.READ_TIMEOUT_SMALL) {\n httpsUrlConnection.setReadTimeout(AppConstants.TIME_CONNECTION_DATA_WAIT_TIMEOUT_SMALL);\n } else {\n httpsUrlConnection.setReadTimeout(AppConstants.TIME_CONNECTION_DATA_WAIT_TIMEOUT_LARGE);\n }\n\n\/\/ applying SSL pinning\n \n \/\/ getting SPKI keys for validation\n String[] spki = CachingManager.getAppContext().getResources().getStringArray(R.array.spki);\n List validPins = Arrays.asList(spki);\n\n \/\/ getting trust manager\n X509TrustManagerExtensions trustManagerExt = prepTrustManager();\n \/\/ validating pins for ssl pinning\n validatePinning(trustManagerExt, httpsUrlConnection, validPins);\n\n\n ......................\n\t\t ...................\n return jsonResponseString;\n }\n\n \n\n\n \/\/ this method validate the pins return by the server with the public key pin and throw an exception\n\t\n private static void validatePinning(X509TrustManagerExtensions trustManagerExt, HttpsURLConnection conn, List validPins)\n throws SSLException {\n String certChainMsg = \"\";\n try {\n MessageDigest md = MessageDigest.getInstance(\"SHA-256\");\n\n \/\/ getting list of trust chain\n List trustedChain = trustedChain(trustManagerExt, conn);\n\n \/\/ validating pins for both side\n for (X509Certificate cert : trustedChain) {\n byte[] publicKey = cert.getPublicKey().getEncoded();\n md.update(publicKey, 0, publicKey.length);\n String pin = Base64.encodeToString(md.digest(), Base64.NO_WRAP);\n certChainMsg += \" sha256\/\" + pin + \" : \" +\n cert.getSubjectDN().toString() + \"\\n\";\n if (validPins.contains(pin)) {\n return;\n }\n }\n } catch (NoSuchAlgorithmException e) {\n throw new SSLException(e);\n }\n throw new SSLPeerUnverifiedException(\"Certificate pinning \" +\n \"failure\\n Peer certificate chain:\\n\" + certChainMsg);\n }\n\n \/\/ extracting the X509 certificates chains for server end\n\t\n private static List trustedChain(X509TrustManagerExtensions trustManagerExt, HttpsURLConnection conn) throws SSLException {\n\n Certificate[] serverCerts = conn.getServerCertificates();\n\n X509Certificate[] untrustedCerts = Arrays.copyOf(serverCerts, serverCerts.length, X509Certificate[].class);\n\n String host = conn.getURL().getHost();\n try {\n return trustManagerExt.checkServerTrusted(untrustedCerts,\n \"RSA\", host);\n } catch (CertificateException e) {\n throw new SSLException(e);\n }\n }\n\n \/\/ prepare TrustManagers\n\t\n private static X509TrustManagerExtensions prepTrustManager() {\n \/\/ creating trust manager to get X509 trust manager\n TrustManagerFactory trustManagerFactory = null;\n try {\n trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n trustManagerFactory.init((KeyStore) null);\n\n } catch (NoSuchAlgorithmException | KeyStoreException e) {\n Log.e(TAG, e.toString());\n }\n\n \/\/ Find first X509TrustManager in the TrustManagerFactory\n X509TrustManager x509TrustManager = null;\n for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {\n if (trustManager instanceof X509TrustManager) {\n x509TrustManager = (X509TrustManager) trustManager;\n break;\n }\n }\n\n\n return new X509TrustManagerExtensions(x509TrustManager);\n\n }\n\n}\n<\/pre>","protected":false},"excerpt":{"rendered":"