1

I have created network_security_config.xml file

<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">api-qa.xxx.net</domain>
        <pin-set >
            <pin digest="SHA-256">xWyFxD64FLSsMf0qBC+xxxxxxxxxYuQl4fWLPzZXBOQ</pin>
            <pin digest="SHA-256">xWyFxD64FLSsMf0qBC+xxxxxxxxxYuQl4fWLPzZXBOQ</pin>
         </pin-set>
    </domain-config>
</network-security-config>

I have added it to android manifest file using

android:networkSecurityConfig="@xml/network_security_config"

minSdkVersion is 24 and using Volley Library for network communication.

When I am using wrong pin i.e. some random number, still I am not getting any certificate error and it was successful connection.

Am I doing something wrong?

Thanks in Advance.

eager
  • 597
  • 8
  • 18
  • Can you once try using OkHttp Network certificate pinning with Volley to check if this way it works or not. https://stackoverflow.com/questions/28191023/ssl-pinning-with-volley-network-library-on-android – ahjo4321hsotuhsa Oct 06 '22 at 15:37
  • Could you check whether you have this log in logs when making calls? `NetworkSecurityConfig: No Network Security Config specified, using platform default`. It is just to be sure that networkSecurityConfig was applied correctly. – bmaciejm Nov 07 '22 at 11:27
  • I am facing the same issue. Did you manage to fix it? – amzer May 18 '23 at 12:38
  • I am facing the same issue – Amit_android Jun 26 '23 at 10:39
  • There are three options in my opinion: - you are matching your domain incorrectly - you are somehow falling under "system" certificates matching which every Android app trusts (would be strange as this is not like your config should work) - Volley is doing something under the hood which demise the "network_security_config" pinning so it won't work. I would personally go for option 2 or 3 (but don't know for sure as never used Volley). – bmaciejm Aug 14 '23 at 14:15

1 Answers1

-1

Normally, an app trusts all pre-installed CAs. If any of these CAs were to issue a fraudulent certificate, the app would be at risk from a man-in-the-middle attack. Some apps choose to limit the set of certificates they accept by either limiting the set of CAs they trust or by certificate pinning. Certificate pinning is done by providing a set of certificates by hash of the public key (SubjectPublicKeyInfo of the X.509 certificate). A certificate chain is then valid only if the certificate chain contains at least one of the pinned public keys. Note that, when using certificate pinning, you should always include a backup key so that if you are forced to switch to new keys or change CAs (when pinning to a CA certificate or an intermediate of that CA), your app's connectivity is unaffected. Otherwise, you must push out an update to the app to restore connectivity. Additionally, it is possible to set an expiration time for pins after which pinning is not performed. This helps prevent connectivity issues in apps which have not been updated. However, setting an expiration time on pins may enable pinning bypass.

res/xml/network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">example.com</domain>
        <pin-set expiration="2018-01-01">
            <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
            <!-- backup pin -->
            <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin>
        </pin-set>
    </domain-config>
</network-security-config>
Mehul Kabaria
  • 6,404
  • 4
  • 25
  • 50
Nerd Girl
  • 87
  • 8
  • 1
    I understand all the things already. But thing is that, whether the pin is correct or not [I have used incorrect pin to check], successful connection is happening which I already mentioned!! – eager Oct 06 '22 at 13:46