2

I am implementing ssl pinning in my app and i use leaf node certificate which is for my website in certificate hierarchy.

 val certificatePinner = CertificatePinner.Builder()
        .add(
            BuildConfig.DOMAIN,
            Constants.SHA256_HASH
        )
    okHttpClientBuilder.certificatePinner(certificatePinner.build())
        .build()

This works perfect until the certificate remains the same. but the main problem is keeping the app up to date with SHA256 hash as the certificate expires every 3 months. If i miss on updating the new SHA256 hash, app stops working due to certificate mismatch. Is there any way to avoid this situation. Thanks in advance.

Mahesh
  • 1,257
  • 1
  • 14
  • 24

2 Answers2

0

using SHA hash of Root certificate solved my problem as it has a longer life

Mahesh
  • 1,257
  • 1
  • 14
  • 24
0

I had to manage a similar situation: I had to implement certificate pinning and I don't want to synchronize app release with certificate expiration.

The solution (is a compromise I know) I implemented works in this way: if certificate app use is still valid, the app applies the certificate pinning. If the certificate is expired, the app does not use certificate pinning. In this way, the app is "exposed with no certificate pinning" between the certificate expiration date and app update (with new certificate hashcode). During this period the app is exposed, but it continues to work!!

The code:

public abstract class CertificatePinnerManager {

    private CertificatePinnerManager() {

    }

    public static final String DATE_FORMAT="dd/MM/yyyy";
    public static final String CERTIFICATE_PINNING_END_CHECK = "12/09/2021";
    public static final String CERTIFICATE_SHA_256 = "sha256/zzz/yyy/xxxx";

    public static CertificatePinner generateCertificatePinner() {
        @SuppressLint("SimpleDateFormat") SimpleDateFormat sdf = new SimpleDateFormat(DATE_FORMAT);
        Date strDate = null;
        try {
            strDate = sdf.parse(CERTIFICATE_PINNING_END_CHECK);
        } catch (ParseException e) {
            e.printStackTrace();
        }
        if (new Date().before(strDate)) {
            // Certificate pinning enabled
            return new CertificatePinner.Builder()
                    // domain to check
                    .add("dummy.com", CERTIFICATE_SHA_256)
                    .build();

        } else {
            // disable certificate pinning
            return new CertificatePinner.Builder().build();
        }

    }
}

// create okhttp client
OkHttpClient httpClient = new OkHttpClient.Builder()
  .certificatePinner(CertificatePinnerManager.generateCertificatePinner())
  .build()

I think it would a better solution manage certificate SHA with remote config, but for the moment, this is my solution. :D

I hope it will help you.

xcesco
  • 4,690
  • 4
  • 34
  • 65
  • Hi @xcesco thanks for sharing your approach, i think this will be beneficial when we mange the certificate but in my case its cloudflare – Mahesh Dec 23 '22 at 05:04
  • hi can you share the project or github repo what happend when it expired pin you have a way to get it dinamic – Roger Apr 28 '23 at 01:08
  • @Roger, when the certificate expires, the `CertificatePinnerManager` simply avoids checking if the certificate is correct. The idea behind is to have certificate pinning when certificate is valid. – xcesco Apr 29 '23 at 15:24
  • @xcesco thank you. How you know if is a incorrect PIN or a Correct Pin with expire date. should i had PIN and DateExpire in RemoteConfig? How often should you check Remote Config knowing that there are many calls to endpoints in the APP and how often does the RemoteConfig service allow me? Using sharePrerences and RemoteConfig maybe but I have no idea if it's safe – Roger May 02 '23 at 13:55
  • Hi if have collection of keys that will expired [ {domain:"domain_1" ; dateUntil: "date1", key:"key1"}, {domain:"domain_2" ; dateUntil: "date2", key:"key2"} {domain:"domain_3" ; dateUntil: "date3", key:"key3"}.... ] is good to use Firestore? or Firebase remoteConfig i want secure that data – Roger Jul 12 '23 at 01:57