Pinning certificates downloaded from the server in android

Therefore we note that if we needed to replace the API key we would need to release a new version of the mobile app and expect all users to update it.

A smart and more secure approach is to always delegate any access to third party services to an API server under your control. This approach allows us to keep all secrets secured in a private place, instead of having them shipped with the mobile app and making them vulnerable to extraction by reverse engineering techniques or by a MitM attack.

The Currency Converter Demo app has been upgraded to extract all the currency conversion logic to a dedicated API server which is under our control, and at the same time allows us to have more control over the certificates we will pin against. Now that you are aware of the changes made to the Currency Converter Demo app used in the previous article , it is time to see how certificate pinning was implemented on it, and if you want to take a closer look, just clone the project from Github:.

From Android Nougat onwards, implementing certificate pinning for any mobile app that targets API level 24 and above was made easier with the introduction of the network security config file, as detailed in this blog article by Google. In this file we can see a section dedicated to configure TrustKit, but using TrustKit in your mobile app is only necessary if you want to target devices below API level 24, where TrustKit assumes the role of ensuring that the connection is pinned against the correct certificate.

So now we need to include the network security config file in the AndroidManifest. If your mobile app is only targeting Android API level 24 or above, then you are done with your certification pinning implementation. Nowyou just need to rebuild your mobile app and try to MitM it, so that you can see how certificate pinning is protecting the secure communication channel between the mobile app and the API server.

Until now the certificate pinning has been agnostic of the http transport layer being used, but to handle certificate pinning below API level 24 we need to get our hands dirty.

Specifically we need to code in the chosen http stack, with the risk that we introduce security flaws which will render certificate pinning useless and worst case turn https into an insecure channel.

In order to avoid all the pitfalls, bugs and security risks that we might introduce with our own implementation, it is best to delegate that responsibility to a community trusted package, and here is where the TrustKit package comes into play, ensuring a secure and well maintained certificate pinning implementation for your mobile app. So the Currency Converter Demo app is using the Google official Volley library with the request queue singleton pattern , which in their words allows for a more efficient handling of all network activity in the mobile app.

To look like this :. So the main difference is in how we instantiate Volley through the VolleyQueueSingleton class. We need to go from instantiating it with only the current context to instantiating it with an additional second parameter to define the http stack we want to use.

This in turn lets us define which socket implementation to use, namely the TrustKit one. Active 2 years, 6 months ago. Viewed 4k times. Improve this question. Add a comment. Active Oldest Votes. If you pin against the public key you do not need to update your mobile app each time a certificate is rotated in the server, once you will sign it with the same public key, and you can read the article Hands On Mobile APi Security: Pinning Client Connections for more details in how this can be done: For networking, the Android client uses the OKHttp library.

Please read the article The Problem with Pinning for more insights on bypassing it: Unpinning works by hooking, or intercepting, function calls in the app as it runs. Frida Inject your own scripts into black box processes. Mobile App Attestation The use of a Mobile App Attestation solution will enable the API server to know WHAT is sending the requests, thus allowing to respond only to requests from a genuine mobile app while rejecting all other requests from unsafe sources.

Improve this answer. Community Bot 1 1 1 silver badge. Exadra37 Exadra37 6, 1 1 gold badge 26 26 silver badges 39 39 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Who owns this outage? Building intelligent escalation chains for modern SRE. Podcast Who is building clouds for the independent developer? Featured on Meta. Now live: A fully responsive profile.

Reducing the weight of our footer. Like so:. The last command will start Frida, and keep running silently. If it prints any output then something is probably wrong - most likely you've downloaded the server for the wrong architecture or you're not running these commands as root. To control it, you need to install the Frida CLI tools on your computer. You'll need Python installed for this, and then you just need to run:.

You can test this by running frida-ps -U. This will connect to the server via USB -U and list the details over every running process on the target device. If this shows you a list of processes, you're all good! The last and most important step: we need to tell Frida to transform the target application, removing certificate pinning so we can see the traffic it's sending. To do so, we first need the package name of the target process.

You can see this listed somewhere in the output of frida-ps -U for every process that's currently running, or you can find it from the app's play store URL.

You can download a built APK of that app from its GitHub releases page and install it with adb install. We then need a script, which will rewrite the application. Frida scripts are simple JavaScript which can use Frida's API to define replacements for methods in the target application. By doing so, they can make a certificate-checking method do nothing, make a class ignore certificate pinning configuration, or almost anything else.

Writing these scripts is quite complicated. There's many small individual scripts available, designed to remove pinning from specific target apps or certain HTTPS libraries, but not many that try to remove pinning for all HTTPS traffic.

Fortunately I've been working on a general-purpose Frida script to do this, so you can just use that. It's available as frida-script. This combines many other public scripts, it's been tested against a variety of different targets already, and contributions to extend it to cover any new libraries or techniques that aren't currently covered are very welcome!

To use this, save frida-script. It's time to test this out! Active 7 years, 3 months ago. Viewed 10k times. Did I do something wrong, or is this code meant for pinning either : 1 a CA certificate covering all certificates signed by that CA or 2 a particular certificate signed by some CA?

Improve this question. Jake Jake Your code looks like Option 1 from the blog post, but that is for a CA-less solution, not one with your own CA. Why does the code work for my own CA then? My guess is that the way this works is that you are effectively pinning to the CA's root cert, and so any cert signed by this CA will validate, but certs signed by other CAs will not.

My point was that the recipe is not for use with a CA , at least as far as Mr. Marlinspike's blog post covers.

Hence, your statement that "This statement indicates that this tutorial is meant for the CA certificate I have" is false, insofar as Option 1 is not supposed to have a CA, but rather a self-signed cert for the server.

Pin the CA's or server's certificate with a custom TrustManager. Override the checkServerTrusted.