How to Verify the hsotnameverifyer using ssl pinning in android using Resttemplate

Question

I'm doing a banking application for interacting client and server for secure purpose using HTTPs for that I have to add SSL pinning in android using rest template. I checked many links for restemplate code, but it's not working properly. Is this correct or not for SSL pinning in android? I found this code at Google.Developer.android

I have added the cert certificate in my application, but how to connect with restemplate:

   CertificateFactory cf = CertificateFactory.getInstance("X.509");

            InputStream is  = ctx.getResources().openRawResource(R.raw.cedgenetbankingin); // Place your 'your_cert.crt' file in `res/raw`

            InputStream caInput = new BufferedInputStream(is);

            Certificate ca;
            try {
                ca = cf.generateCertificate(caInput);
                System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
            } finally {
                caInput.close();
            }

// Create a KeyStore containing our trusted CAs
            String keyStoreType = KeyStore.getDefaultType();
            KeyStore keyStore = KeyStore.getInstance(keyStoreType);
            keyStore.load(null, null);
            keyStore.setCertificateEntry("ca", ca);

// Create a TrustManager that trusts the CAs in our KeyStore
            String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
            tmf.init(keyStore);

// Create an SSLContext that uses our TrustManager
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, tmf.getTrustManagers(), null);

            HostnameVerifier allHostsValid = new HostnameVerifier() {
                public boolean verify(String hostname, SSLSession session) {
                    Log.i("JJ","true--");
                    return true;
                }

            };
            HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
            HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

Note: for adding the certificate is enough right? From raw folder I added the crt file. If I make some changes in the file I'm getting exception so resttemplate doesn't call. If the file is correct means its working?

Resttemplate code:

  RestTemplate restTemplate = new RestTemplate();
     //   RestTemplate restTemplate = new RestTemplate();
        try {
            restTemplate.getMessageConverters().add(new StringHttpMessageConverter());

            HttpHeaders headers = createHttpHeaders();


            HttpEntity<String> entity = new HttpEntity<>(str_encodedparams, headers);

            ResponseEntity<String> response = restTemplate.postForEntity(url, entity, String.class);

            System.out.println("Result - status (" + response.getStatusCode() + ") has body: " + response.hasBody());
            System.out.println(response.getBody());
            respo = response.getBody();
            System.out.println(respo);


        } catch (Exception eek) {

            eek.printStackTrace();
            System.out.println("** Exception: " + eek.getMessage());
        }

Hi guys whether this enough for ssl pinning or anything i have to do.please help me — siddhi, Jul 10 '19 at 09:04

score 0 · Answer 1 · answered Sep 20 '19 at 17:17

The best way to apply certificate pinning to an Android app is by pin against the public key of the certificate, that allows you to rotate certificates in the backend without release a new mobile app version, considering that you sign the new certificates with the same public key. For certificates that have been compromised we normally provide a backup pin, thus giving you time to release a new version of the mobile app.

I wrote a article Securing HTTPS with Certificate Pinning on Android that takes this approach and uses the network security config file in conjunction with TrustKit package:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>

    <!-- Official Android N API -->
    <!--https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html-->
    <domain-config>
        <domain>currency-converter-demo.pdm.approov.io</domain>
        <trust-anchors>
            <!--<certificates src="user" />-->
            <certificates src="system" />
        </trust-anchors>
        <pin-set>
            <!-- Pin for: currency-converter-demo.pdm.approov.io -->
            <pin digest="SHA-256">qXHiE7hFX2Kj4ZCtnr8u8yffl8w9CTv6kE0U5j0o1XY=</pin>

            <!-- Backup Pin for: currency-converter-demo.pdm.approov.io -->
            <pin digest="SHA-256">47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=</pin>
        </pin-set>

        <!-- TrustKit Android API -->
        <!-- enforce pinning validation -->
        <trustkit-config enforcePinning="true" disableDefaultReportUri="true">
            <!-- Add a reporting URL for pin validation reports -->
            <report-uri>https://report.pdm.approov.io/pinning-violation/report</report-uri>
        </trustkit-config>
    </domain-config>

</network-security-config>

Please read the linked article to better understand how everything fits together and to see the example demo.

How to Verify the hsotnameverifyer using ssl pinning in android using Resttemplate

1 Answers1