Android Security Tip: Public Key Pinning with Volley Library
Certificate or Public Key Pinning is a security mechanism which makes MITM (Main-In-The-Middle) attacks more difficult. Using https is not enough to make a secure network connection. It should be hardened with this method.
Volley is one of the most used network libraries on Android. And it is supported by Google.
Let’s start coding step by step:
Download and add volley module to your app via http://developer.android.com/training/volley/index.html
Create a public key manager class extended from X509TrustManager. Then implement the code below:
TLS v1.1/v1.2 are supported on API Level 16+ devices. But enabled by default on API Level 20+ devices. I will enable TLS v1.1/v1.2 by extending SSLSocketFactory
Create a RequestQueue with pinned TLSSocketFactory then make the request:
How to test?
Charles is a great web debugging tool. You can monitor network easily. Charles also supports SSL Proxying. You can test your app with Charles.
Before implementing public key pinning make a simple https request then monitor with Charles. That’s easy.
Now implement pinning then try to intercept network you will see that request will fail and no request and response data can be seen on Charles.
You can download the sample on github.
Resources:
