For the Wrong Key also gets Success 200 - Android

Question

For the Wrong Key also gets Success 200 - Android

chathuralakmal opened this issue 2 years ago · 7 comments

I have followed the instruction of installing the library. and in App.js i have added the following.

` try {
await initializeSslPinning({
'google.com': {
includeSubdomains: true,
publicKeyHashes: [
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
],
},
})
.then((response) => {
console.log('THIS CALLED (1) ', response);
})
.catch((e) => {
console.log('ERROR ####', e);
});
} catch (error) {
console.log('ERROR ****', error);
}

// ...

// This request should fail with an error
try {
const response = await fetch('https://google.com');
console.log('RESPOSNSE (1) -----> ', response.status);
} catch (error) {
console.log('ERROR ', error);
}`

This always returns 200.

"react-native": "0.63.2",
"react-native-ssl-public-key-pinning": "^1.0.6",

Answer 1 · 2023-06-06T16:34:13.000Z

Could you create a repository with a minimal reproducible example?
You can also check out the example app and see what's different with your setup: https://github.com/frw/react-native-ssl-public-key-pinning/tree/main/example

Answer 2 · 2023-06-06T16:38:29.000Z

Also, try changing this line

const response = await fetch('google.com');

to this line

const response = await fetch('https://google.com');

By default fetch is done over HTTP, which will not be affected by our pinning.

Answer 3 · 2023-06-07T04:34:02.000Z

@frw The example I downloaded it works fine. i cannot understand why it does not work in my app. could it be because of the react-native version?

Answer 4 · 2023-06-07T05:15:04.000Z

@chathuralakmal try running without debug you will get the correct response i think because i was also getting same issue but i disabled the debug and run then i am getting proper response

Answer 5 · 2023-06-07T05:54:32.000Z

@abhishekrup @frw I Just found out it works fine in iOS. I believe may be its because it's using TrustKit. will try out trust kit android.

Answer 6 · 2023-06-07T15:08:02.000Z

@chathuralakmal @abhishekrup

I just found out that if your React Native Android version is below 65, you have to set includeSubdomains: false and match your domains exactly. This is because RN Android v64 and below still uses OkHttp v3, and wildcard domain support (which this library relies on for includeSubdomains) was only introduced in OkHttp v4.3. This could be the reason why you're not seeing your domains pinned.

Try the following code instead:

await initializeSslPinning({
  'www.google.com': {
    publicKeyHashes: [
      'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=',
      'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=',
    ],
  },
});

// ...

// This request should fail with an error
const response = await fetch('https://www.google.com');

Answer 7 · 2023-06-10T14:52:51.000Z

Closing since the issue seems to be with an older RN version and workarounds have been provided.
Let me know if you're still facing any issues!