0
 public static SSLContext getSSL() {
    try {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        AssetManager assetManager = App.getAppContext()
                .getAssets();
        InputStream caInput = assetManager.open("cert.pem");
        java.security.cert.X509Certificate ca = null;
        try {
            ca = (java.security.cert.X509Certificate) cf
                    .generateCertificate(caInput);
        } catch (Exception er) {
        } finally {
            caInput.close();
        }
        String keyStoreType = KeyStore.getDefaultType();
        KeyStore keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("ca",
                ca);
        String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmf = TrustManagerFactory
                .getInstance(tmfAlgorithm);
        tmf.init(keyStore);
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, tmf.getTrustManagers(), null);
        return context;
    } catch (Exception e1) {
        return null;
    }
}

Ok this is how i do SSL Pinning in my Android application, and it all works perfect. So, What is the problem I have? I have cert.pem in my assets folder, what If I want to update my certificate? I will have to publish a new app on the store just for that. I dont want to do that, I want to know whats best way to handle such issue? Shall I download the certificate from somewhere and use it, or is there a way I can specify it via google play store and it can read it from there instead of assets folder? My goal is to avoid publishing new android app everytime i change the certificate.

Héctor
  • 24,444
  • 35
  • 132
  • 243
user3278732
  • 1,694
  • 10
  • 31
  • 67

1 Answers1

1

The point of certificate pinning is to mitigate man-in-the-middle (MITM) attacks. If you download the pinned certificate from a non-pinned source, you're not really any better off preventing MITM as this download source becomes MITM target.

Therefore, just ship your app with the pinnings you want.

Options to mitigate the update issue:

  1. Self-generate or purchase a certificate with a long validity period so you don't have to update that often.

  2. If you are using a purchased CA-backed certificate, don't pin the certificate itself but the CA's root certificate that is valid for decades. Of course this enables MITM with a certificate for your domain signed with that CA, but at least you're reducing the number of CAs you need to trust to only one.

laalto
  • 150,114
  • 66
  • 286
  • 303
  • 1
    A third option (the OWASP recommended one) would be to pin the used server public key (subjectPublicKeyInfo) instead of the certificate. The key usually stays when the certificate is renewed. – Robert Apr 12 '16 at 18:27
  • Additionally to pinning the SPKI, which is desirable as you can generate renewed certs with the same SPKI on expiration if needed, pinning a backup SKPI is recommended. See https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile-applications/ – Dori May 06 '16 at 19:39