Android Question SSL Certificate Pinning

[M. Giray Ozkan]

Hi,

I need to use ssl certificate pinning in my android project to avoid man-in-the-middle attacks and manually installed root certificates.

is there any way in B4A to do this?

Thanks

 

[Erel]

You can install the certificate on your device: https://www.globalsign.com/en/blog/installing-certificates-onto-android-devices/

 

[M. Giray Ozkan]

Hello

as you can imagine this is not easy way to do that. I reading a lot of articles ssl certificate pinning with using httpclient/okhttpclient but I've no idea how can I implement these codes to my project.

With default http client: https://github.com/ikust/hello-pinnedcerts
With okhttpClient : https://github.com/square/okhttp/wiki/HTTPS


1. I had .crt file from targeting web server which is I'm trying to ssl communication with it. (it was obtained using firefox)
2. I converted to a bks formatted keystore file
3. I put that file to res/raw folder.

I want to learn how can I use CertificatePinner in okHttp or SSLSocketFactory in default httpClient.

Thank you

 

[M. Giray Ozkan]

is there anybody who has an idea? @Erel ?

Thanks

 

[Erel]

Why don't you install the certificate on the device?

 

[M. Giray Ozkan]

Hello Erel,

is there any way to do programmatically on android device? On the other hand, install certificate to device is not the right way to achieve main purpose of SSL certificate pinning.

Please read these articles:

What is the SSL Certificate pinning and what is the concept? : https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

How to intercept SSL traffic on mobile device using Burp Suite: https://www.google.com.tr/search?q=...l4.6842j0j4&sourceid=chrome&es_sm=92&ie=UTF-8


Thanks

 

[Erel]

Currently it is not supported by the two http libraries.

 

[M. Giray Ozkan]

for forum search records:

this case is solved with https://www.b4x.com/android/forum/threads/okhttp-set-parameter-with-inline-java.64748/