Certificate pinning?

Question

Certificate pinning?

kreativmonkey opened this issue 5 years ago · 3 comments

Certificate pinning: We currently rely on android to verify the server tls certificate. This can in theory allow mitm-attacks!

Answer 1 · 2020-04-20T21:30:20.000Z

Just a link on how this can be done: https://www.netguru.com/codestories/3-ways-how-to-implement-certificate-pinning-on-android

Answer 2 · 2020-04-30T20:40:15.000Z

FYI: Currently I'm struggling to get the app running in my development environment but as soon as I'm able to deploy code to my device, I'm going to try the second solution, the implementation using OkHttp.

Reasons:

The code says right now //TODO use a more sophisticated library and OkHttp seems to be a solid solution for that
Network Security Configuration requires at least Android 7.0 or API level 24 which would lock out the app from being used on older smartphones (6.x seems to have a market share of > 10 %, still)

Answer 3 · 2020-04-30T20:44:49.000Z

@assert-not-singularity OkHttp would also enable us to go through a proxy server for up- and downloading TCNs (#27). I say go for it, definitely.