Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Certificate pinning 101
Search
Xavier Rubio Jansana
January 30, 2018
Programming
1
120
Certificate pinning 101
Slides for the lighthning talk "Certificate pinning 101" given at Barcelona ADG.
Xavier Rubio Jansana
January 30, 2018
Tweet
Share
More Decks by Xavier Rubio Jansana
See All by Xavier Rubio Jansana
Android Custom Controls and Canvas
xrubioj
0
100
Swifty Framework Development for pragmatic developers
xrubioj
0
170
Android Data Binding: from (null) to (data)
xrubioj
1
170
Other Decks in Programming
See All in Programming
『毎日の移動』を支えるGoバックエンド内製開発
yutautsugi
2
210
Swift Concurrency - 状態監視の罠
objectiveaudio
2
480
私達はmodernize packageに夢を見るか feat. go/analysis, go/ast / Go Conference 2025
kaorumuta
2
500
CSC305 Lecture 04
javiergs
PRO
0
260
なぜあの開発者はDevRelに伴走し続けるのか / Why Does That Developer Keep Running Alongside DevRel?
nrslib
3
380
SpecKitでどこまでできる? コストはどれくらい?
leveragestech
0
600
Catch Up: Go Style Guide Update
andpad
0
200
Six and a half ridiculous things to do with Quarkus
hollycummins
0
130
iOSエンジニア向けの英語学習アプリを作る!
yukawashouhei
0
180
LLMとPlaywright/reg-suitを活用した jQueryリファクタリングの実際
kinocoboy2
4
680
XP, Testing and ninja testing ZOZ5
m_seki
3
360
Goで実践するドメイン駆動開発 AIと歩み始めた新規プロダクト開発の現在地
imkaoru
4
750
Featured
See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
960
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
53k
Done Done
chrislema
185
16k
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
Automating Front-end Workflow
addyosmani
1371
200k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
Docker and Python
trallard
46
3.6k
For a Future-Friendly Web
brad_frost
180
9.9k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
A designer walks into a library…
pauljervisheath
209
24k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
850
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Transcript
C C L L Xavier Rubio Jansana @teknik_tdr
https://xrubio.com https://github.com/xrubioj/
S S What? Why? How SSL/TLS works MiTM Attacks Certificate
pinning 101 Security considerations
W ? W ? Network security technique
W ? W ? Avoid MiTM attacks
I I Stealing app secrets Stealing user secrets Subverting communication
(e.g. change delivery address)
H SSL/TLS H SSL/TLS
HTTPS C HTTPS C
C C
C C
C S C S Subject Public Key Info
C C
C C
Settings → Security → Trusted certificates System vs User R
CA R CA
M TM A M TM A Root CA injection CA
insuficient validation → rogue certificate Self-signed certificates → validation disabled
C C
O H O H Exception: val hostname = "*.google.com" val
certificatePinner = CertificatePinner.Builder() .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .build() val client = OkHttpClient.Builder() .certificatePinner(certificatePinner) .build() AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure! Peer certificate chain: sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com, OU=PositiveSSL sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root Pinned certificates for publicobject.com: sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= at okhttp3.CertificatePinner.check(CertificatePinner.java) at okhttp3.Connection.upgradeToTls(Connection.java) at okhttp3.Connection.connect(Connection.java) at okhttp3.Connection.connectAndSetOwner(Connection.java) afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=
A N A N AndroidManifest.xml: <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config>
<domain includeSubdomains="true">appmattus.com</domain> <pin-set> <pin digest="SHA-256">4hw5tz+scE+TW+mlai5YipDfFWn1dqvfLG+nU7tq1V8=</pin> <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin> </pin-set> </domain-config> </network-security-config> <?xml version="1.0" encoding="utf-8"?> <manifest> <application android:networkSecurityConfig="@xml/network_security_config"> <!-- ... --> </application> </manifest> android:networkSecurityConfig="@xml/network_security_config"
B B CWAC-NetSecurity With some manual work... https://github.com/commonsguy/cwac-netsecurity "Allows the
same XML configuration to be used, going back to API Level 17 (Android 4.2)"
H H Hard failure So failure
S S Hardcoded pins Accept on first access Get pins
from server → inception!
S S ⚠ Hide your secrets! See "Android security basics"
talk by Krzysztof Kocel https://www.meetup.com/Barcelona-Android- Developer-Group/events/244107028/
R R "Android Security: SSL Pinning" by Matthew Dolan Network
Security Configuration "CWAC-NetSecurity: Simplifying Secure Internet Access" by CommonsWare CertificatePinner class OkHttp documentation https://medium.com/@appmattus/android-security-ssl-pinning- 1db8acb6621e https://developer.android.com/training/articles/security-config.htm https://github.com/commonsguy/cwac-netsecurity https://square.github.io/okhttp/3.x/okhttp/okhttp3/CertificatePinne
Q ? Q ?
T ! T ! Xavier Rubio Jansana This talk is
available at: @teknik_tdr https://xrubio.com https://github.com/xrubioj/ https://xrubio.com/talks/talk-lightning-certificate-pinning/