17

I want to use SSL Pinning in volley network library. Is there any way to implement SSL pinning with volley? Does volley provide this support for security improvements?

KAPLANDROID
  • 1,099
  • 1
  • 12
  • 23
  • Did you find anything? – Dimillian Feb 02 '15 at 10:26
  • Is the main purpose of this is to prevent MITM? If the attacker can reverse compile the APK and extract the cert, what is it really preventing? – Takeshi Kaga Sep 09 '19 at 19:00
  • @TakeshiKaga I don' t think you are quite right. Extracting public key from app won't help you perform MITM attack since you need private key. For better understanding, check how TLS works. What you can do is recompile app and change key but it makes vulnerable only your build. – Michal Zhradnk Nono3551 Sep 09 '20 at 14:35

5 Answers5

13

I just implemented it like described here: http://blog.ostorlab.co/2016/05/ssl-pinning-in-android-networking.html

Here is the needed code for a volley-implementation:

CertificateFactory cf = CertificateFactory.getInstance("X.509");

// Generate the certificate using the certificate file under res/raw/cert.cer
InputStream caInput = new BufferedInputStream(getResources().openRawResource(R.raw.cert));
Certificate ca = cf.generateCertificate(caInput);
caInput.close();

// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore trusted = KeyStore.getInstance(keyStoreType);
trusted.load(null, null);
trusted.setCertificateEntry("ca", ca);

// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(trusted);

// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);

SSLSocketFactory sf = context.getSocketFactory();
mRequestQueue = Volley.newRequestQueue(mCtx.getApplicationContext(), new HurlStack(null, sf));

Seems to work!

niggeulimann
  • 688
  • 6
  • 15
  • It works for the first/second time, shows SSLHandshake Exception. However, doesn't work when you re-try, you will successfully get the network response. – Chandler May 04 '21 at 04:30
  • @Chandler have you found any solution for SSL pinning with volley? – tushar May 04 '23 at 03:35
2

I just looked into the same thing for a project I am working on. The position I am in may be different to you however.

I am using Volley with an OKHttp Network stack (https://gist.github.com/JakeWharton/5616899):

Add these to your Gradle Build:1

compile "com.squareup.okhttp:okhttp:2.7.5"
compile "com.squareup.okhttp:okhttp-urlconnection:2.7.5"

Add a OKHttpStack class;

public class OKHttpStack extends HurlStack {
    private final OkUrlFactory okUrlFactory;
    public OKHttpStack() {

        this(new OkUrlFactory( 
            new OkHttpClient.Builder()
                    .certificatePinner(
                        new CertificatePinner.Builder()
                            .add("example.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=") //This is the cert
                            .build())
                    .build();
        ));
    }
    public OKHttpStack(OkUrlFactory okUrlFactory) {
        if (okUrlFactory == null) {
            throw new NullPointerException("Client must not be null.");
        }
        this.okUrlFactory = okUrlFactory;
    }

    @Override
    protected HttpURLConnection createConnection(URL url) throws IOException {
        return okUrlFactory.open(url);
    }
}

When you then create your RequestQueue do something like:

Network network = new BasicNetwork(new OKHttpStack());
File cacheDir = new File(context.getCacheDir(), "volley");
int threads = 4;
mRequestQueue = new RequestQueue(new DiskBasedCache(cacheDir), network, threads);

Please note I have yet to test this, we are thinking about pinning at the moment.

Good luck! Gav

References:

https://gist.github.com/JakeWharton/5616899 https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/CertificatePinning.java

Gavin Harris
  • 652
  • 5
  • 15
  • Thank you man, you solution saved me. I had to implement ssl pinning on android ver below 24 and we have two libraries in our app, Volley and Ksoap. I was getting no help from anywhere, even trustkit was not working. Then i came across your sol and took the HurlStack part. And pinning was available with volley in a jiffy. What i don't understand is this, i create a okhttp client, added a certificate pinner to it, then has this code mRequestQueue = Volley.newRequestQueue(context, new HurlStack(null, okClien.sslSocketFactory), the app ran smoothly but ssl pinning was nt working, do you know why? – beginner Mar 20 '20 at 11:41
  • 1
    When you create your instance of the Request Queue (mRequestQueue) you are passing it a `new HurlStack` and not your custom `OKHttpStack`. Try switching out the instantiation of the Request queue with something like `mRequestQueue = Volley.newRequestQueue(context, new OKHttpStack(...));` – Gavin Harris Mar 25 '20 at 00:29
  • ok, didn't knew that we can instantiate a volley request with okhttpStack. Was limited by my knowledge in this section. We try this whenever i will face this kind of thing again. Thanks :) – beginner Apr 01 '20 at 09:00
  • okUrlFactory.open is not available now so the app crashes. Any solution for this? – Ankush Kapoor Jul 02 '21 at 07:03
1

You can use public key pinning instead of certificate pinning:

Public Key Pinning with Volley Library

Faruk Toptas
  • 1,257
  • 14
  • 21
  • The problem with HPKP is the app will be vulnerable the first time it connects to the webservice. If an attacker can do a MitM in that moment, client can be pinned with a wrong certificate for a very long time. This will not happen if you pin the connection using traditional certificate pinning. – arnau Jan 13 '17 at 09:03
0

I am implementing the same exact thing. I found a blog post that will hopefully be of help to you

http://ogrelab.ikratko.com/using-android-volley-with-self-signed-certificate/

Viet Nguyen
  • 142
  • 3
  • 8
  • I tried this but there is a problem. I download the sample code and just change the website url with "https://google.com" and it doesn't give any error connects to google.com and gets data. Did you see that? – KAPLANDROID Mar 24 '15 at 09:12
  • I tried test certificate file and my own certificate but result is same. – KAPLANDROID Mar 24 '15 at 09:26
0

You can use network_security_config.xml, more info : https://developer.android.com/training/articles/security-config

Ben-J
  • 1,084
  • 8
  • 24