Menu
I'm trying out certificate pinning in my app, and I see that I can do it using OkHttp directly, or through Android Network Security Config.
Two practical differences I can think of are:
Are there any others?
563
OkHttp method is supported below Android 7
Yes it his but programming yourself a such important piece of security software is not an easy task and you can easily shoot yourself on the foot, even when you are well versed in security and certificate pinning.
If you really need to support certificate pinning below Android API 24 then I would recommend you to use TrustKit:
TrustKit Android is an open source library that makes it easy to deploy SSL public key pinning and reporting in any Android App.
Android Network Security Config method applies even when not using OkHttp
This is one of its main advantages alongside the fact that is not prone to programmatic errors, only configuration errors, like not correctly extract the public key pin for the domain being pinned and/or having typos on it.
Fortunately we have now an online free tool to help us prevent such errors. The Mobile Certificate Pinning Generator will give us a ready to use network_security_config.xml file for the domain(s) we want to pin in our mobile app.
For example:
Now you just need to copy paste the file into your project and the tool even as a step by step tutorial to show us how to do it correctly.
You can also use the tool to get the pins to use in TrustKit :)
88
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
