PUBLIC KEY PINNING

Android security by jiahaoliuliu

INDEX

What is it?
How to implement it?
Demo
Do and don’ts

ME

WHAT’S IT

Source: http://oscarpadial.com/como-evaluar-la-configuracion-ssl/

WHAT’S IT?
Relies on SSL certificate
Contains the public key of the server
openssl s_client -connect random.org:443 | openssl
x509 -pubkey -noout
The public key is pinned(saved) in the client

IMPLEMENTATION

Based on TrustManager
Use HurlStack in Volley
TrustManager tm[] = {new PublicKeyManager()};
sslContext = SSLContext.getInstance(“TLS”);
sslContext.init(null, tm, null)
HurlStack hulStack = new
HullStack(null,sslContext.getSocketFactory());
Volley.newRequestQueue(this, hurlstack).add(jsonObjectRequest);

PUBLIC KEY MANAGER


Contains public key as string
Request the certificate on init
1. Extract the public key
2. Compare

Demo
https://github.com/jiahaoliuliu/PublicKeyPinning

DO & DON’T
Do
High security risk
Banking applications
Don’t
Frequent changes on SSL certificate
Speed over security

Questions
jiahaoliuliu@gmail.com
@jiahaoliuliu