Protect Your HTTPS Connection With SSL Pinning on Android
Welcome to this series of articles about Android Security and how you can improve tremendously the protection of your users, by implementing 3 things that provide a great effort/safety ratio.
Today we are going to look at protecting the HTTPS connection. Your APIs, your user data use that link and it is crucial that the data is encrypted and not readable during the transfer, moreover that the server the App is communicating with is the one intended.
Prerequisite
An HTTPS connection to your API, and if you do not use HTTPS yet, then start immediately.
You will need OkHTTP (or Retrofit), that is providing a method to setup SSL Pinning with just a couple of line of code.
A browser or access to the HTTPS certificate.
OpenSSL
Finding the PIN
HTTPS certificates are coming with a a Fingerprint, this is a hash (SHA1, SHA256) of the actual certificate. and we are going to use it to verify the authenticity of the server we are connecting to.
With a Browser, connect to your HTTPS domain. Click on the padlock icon to show the Certificate details.
