ANDROID SSL PINNING USING OKHTTP

Chema Rubio
Jul 5, 2016 · 2 min read
Image for post
Image for post

When users access information via mobile devices, security in communication channels is crucial. Sometimes sensitive data has to be shared between applications and servers, for example, banking applications in which SSL is used to keep data integrity and privacy.


SSL Pinning is ensuring that any client SSL request first validates that the server’s certificate exactly matches the bundle’s certificate previously stored in the application.

Certificate pinning techniques are based on maximize protection when validating a digital certificate in a secure connection. Digital certification validation is based on analyzing the certification chain trust in order to see if it contains one of the stored certificates in which it trusts.

When unique server certificates are stored, and a key validation takes place in every connection, then we are performing certificate pinning.


Relying on matching certificates between device and server opens up a security hole since anyone can generate their own certificate and private key, so a simple handshake between these two actors doesn’t prove anything but the server knows the private key that matches the public key of the certificate.

The idea is to prevent a man in the middle attack. Certificate pinning does by ensuring a specific server public key is used to initiate secured traffic.

SSL pinning isn’t something you want to implement in all your applications, but it makes sense when developing high-risk apps that need strong protection.


There are important steps in the process:

  • Obtaining a certificate for the desired host (preferably the whole certificate chain).
  • Make sure certificate is in .bks format.
  • Pin the certificate to an instance of DefaultHttpClient using the obtained .bks keystore for SSL connections.

According to https://github.com/square/okhttp documentation, in order to implement certificate pinning next steps are need to be done:


Application certificates will eventually expire. It is necessary to plan an update with the new certificate, or preparing the application to download the new certificate when available.


In order to make OkHttp peer certificate generation automatic, there is a very useful tool https://github.com/fabiomsr/okhttp-peer-certificate-extractor that makes this certificate generation process faster.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store