ANDROID SSL PINNING USING OKHTTP

When users access information via mobile devices, security in communication channels is crucial. Sometimes sensitive data has to be shared between applications and servers, for example, banking applications in which SSL is used to keep data integrity and privacy.


WHAT IS CERTIFICATE PINNING ?

SSL Pinning is ensuring that any client SSL request first validates that the server’s certificate exactly matches the bundle’s certificate previously stored in the application.

Certificate pinning techniques are based on maximize protection when validating a digital certificate in a secure connection. Digital certification validation is based on analyzing the certification chain trust in order to see if it contains one of the stored certificates in which it trusts.

When unique server certificates are stored, and a key validation takes place in every connection, then we are performing certificate pinning.


WHY USING CERTIFICATE PINNING ?

Relying on matching certificates between device and server opens up a security hole since anyone can generate their own certificate and private key, so a simple handshake between these two actors doesn’t prove anything but the server knows the private key that matches the public key of the certificate.

The idea is to prevent a man in the middle attack. Certificate pinning does by ensuring a specific server public key is used to initiate secured traffic.

SSL pinning isn’t something you want to implement in all your applications, but it makes sense when developing high-risk apps that need strong protection.


HOW DOES THIS WORK ON ANDROID ?

There are important steps in the process:

  • Obtaining a certificate for the desired host (preferably the whole certificate chain).
  • Make sure certificate is in .bks format.
  • Pin the certificate to an instance of DefaultHttpClient using the obtained .bks keystore for SSL connections.

HOW DO WE IMPLEMENT CERTIFICATE PINNING ?

According to https://github.com/square/okhttp documentation, in order to implement certificate pinning next steps are need to be done:


PROBLEMS

Application certificates will eventually expire. There´s need to plan an update with the new certificate, or preparing the application to download the new certificate when available.


BONUS

In order to make OkHttp peer certificate generation automatic, there is a very useful tool https://github.com/fabiomsr/okhttp-peer-certificate-extractor that makes this certificate generation process faster.