Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Certificate pinning 101
Search
Xavier Rubio Jansana
January 30, 2018
Programming
1
130
Certificate pinning 101
Slides for the lighthning talk "Certificate pinning 101" given at Barcelona ADG.
Xavier Rubio Jansana
January 30, 2018
Tweet
Share
More Decks by Xavier Rubio Jansana
See All by Xavier Rubio Jansana
Android Custom Controls and Canvas
xrubioj
0
120
Swifty Framework Development for pragmatic developers
xrubioj
0
190
Android Data Binding: from (null) to (data)
xrubioj
1
180
Other Decks in Programming
See All in Programming
フルサイクルエンジニアリングをAI Agentで全自動化したい 〜構想と現在地〜
kamina_zzz
0
360
公共交通オープンデータ × モバイルUX 複雑な運行情報を 『直感』に変換する技術
tinykitten
PRO
0
190
Python札幌 LT資料
t3tra
7
1.1k
GISエンジニアから見たLINKSデータ
nokonoko1203
0
190
AtCoder Conference 2025
shindannin
0
940
Kotlin Multiplatform Meetup - Compose Multiplatform 외부 의존성 아키텍처 설계부터 운영까지
wisemuji
0
170
AIによるイベントストーミング図からのコード生成 / AI-powered code generation from Event Storming diagrams
nrslib
2
1.4k
Deno Tunnel を使ってみた話
kamekyame
0
320
Automatic Grammar Agreementと Markdown Extended Attributes について
kishikawakatsumi
0
110
Unicodeどうしてる? PHPから見たUnicode対応と他言語での対応についてのお伺い
youkidearitai
PRO
0
540
Patterns of Patterns
denyspoltorak
0
460
[AtCoder Conference 2025] LLMを使った業務AHCの上⼿な解き⽅
terryu16
6
1k
Featured
See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
61
9.7k
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
61
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
61
48k
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
How to audit for AI Accessibility on your Front & Back End
davetheseo
0
140
Speed Design
sergeychernyshev
33
1.5k
Game over? The fight for quality and originality in the time of robots
wayneb77
1
81
Between Models and Reality
mayunak
1
170
The browser strikes back
jonoalderson
0
300
Making Projects Easy
brettharned
120
6.5k
The SEO identity crisis: Don't let AI make you average
varn
0
48
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.7k
Transcript
C C L L Xavier Rubio Jansana @teknik_tdr
https://xrubio.com https://github.com/xrubioj/
S S What? Why? How SSL/TLS works MiTM Attacks Certificate
pinning 101 Security considerations
W ? W ? Network security technique
W ? W ? Avoid MiTM attacks
I I Stealing app secrets Stealing user secrets Subverting communication
(e.g. change delivery address)
H SSL/TLS H SSL/TLS
HTTPS C HTTPS C
C C
C C
C S C S Subject Public Key Info
C C
C C
Settings → Security → Trusted certificates System vs User R
CA R CA
M TM A M TM A Root CA injection CA
insuficient validation → rogue certificate Self-signed certificates → validation disabled
C C
O H O H Exception: val hostname = "*.google.com" val
certificatePinner = CertificatePinner.Builder() .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .build() val client = OkHttpClient.Builder() .certificatePinner(certificatePinner) .build() AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure! Peer certificate chain: sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com, OU=PositiveSSL sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root Pinned certificates for publicobject.com: sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= at okhttp3.CertificatePinner.check(CertificatePinner.java) at okhttp3.Connection.upgradeToTls(Connection.java) at okhttp3.Connection.connect(Connection.java) at okhttp3.Connection.connectAndSetOwner(Connection.java) afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=
A N A N AndroidManifest.xml: <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config>
<domain includeSubdomains="true">appmattus.com</domain> <pin-set> <pin digest="SHA-256">4hw5tz+scE+TW+mlai5YipDfFWn1dqvfLG+nU7tq1V8=</pin> <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin> </pin-set> </domain-config> </network-security-config> <?xml version="1.0" encoding="utf-8"?> <manifest> <application android:networkSecurityConfig="@xml/network_security_config"> <!-- ... --> </application> </manifest> android:networkSecurityConfig="@xml/network_security_config"
B B CWAC-NetSecurity With some manual work... https://github.com/commonsguy/cwac-netsecurity "Allows the
same XML configuration to be used, going back to API Level 17 (Android 4.2)"
H H Hard failure So failure
S S Hardcoded pins Accept on first access Get pins
from server → inception!
S S ⚠ Hide your secrets! See "Android security basics"
talk by Krzysztof Kocel https://www.meetup.com/Barcelona-Android- Developer-Group/events/244107028/
R R "Android Security: SSL Pinning" by Matthew Dolan Network
Security Configuration "CWAC-NetSecurity: Simplifying Secure Internet Access" by CommonsWare CertificatePinner class OkHttp documentation https://medium.com/@appmattus/android-security-ssl-pinning- 1db8acb6621e https://developer.android.com/training/articles/security-config.htm https://github.com/commonsguy/cwac-netsecurity https://square.github.io/okhttp/3.x/okhttp/okhttp3/CertificatePinne
Q ? Q ?
T ! T ! Xavier Rubio Jansana This talk is
available at: @teknik_tdr https://xrubio.com https://github.com/xrubioj/ https://xrubio.com/talks/talk-lightning-certificate-pinning/
xrubioj
kamina_zzz
tinykitten
t3tra
nokonoko1203
shindannin
wisemuji
nrslib
kamekyame
kishikawakatsumi
youkidearitai
denyspoltorak
terryu16
jnunemaker
kimpetersen
soudai
wjessup
davetheseo
sergeychernyshev
wayneb77
mayunak
jonoalderson
brettharned
varn
eileencodes
