Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Certificate pinning 101
Search
Xavier Rubio Jansana
January 30, 2018
Programming
150
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Certificate pinning 101
Slides for the lighthning talk "Certificate pinning 101" given at Barcelona ADG.
Xavier Rubio Jansana
January 30, 2018
More Decks by Xavier Rubio Jansana
See All by Xavier Rubio Jansana
Android Custom Controls and Canvas
xrubioj
0
140
Swifty Framework Development for pragmatic developers
xrubioj
0
210
Android Data Binding: from (null) to (data)
xrubioj
1
210
Other Decks in Programming
See All in Programming
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
geekplus_tech
0
400
Lemonade + Foundry Toolkit でお手軽アプリ開発
seosoft
1
360
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
120
代数的データ型って何が嬉しいの? #frontend_phpcon_do
kajitack
8
3.7k
LLMによるContent Moderationの本番運用の裏側と品質担保への挑戦
suikabar
3
720
Oxcを導入して開発体験が向上した話
yug1224
4
320
Language Server 使ってる? 〜VSCode と Zed の場合〜 / Are you using a Language Server? ~For VS Code and Zed~
handlename
0
800
エージェンティックRAGにAWSで入門しよう!
har1101
8
1.7k
ECSアプリログをFireLensでコスト削減しようとしたけど諦めた話 in Fargate×Node.js
akihisaikeda
2
4.2k
Java × distroless で 軽量なコンテナイメージを / Java on Distroless
contour_gara
0
550
Vite+ Unified Toolchain for the Web
naokihaba
0
330
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
170
Featured
See All Featured
HTML-Aware ERB: The Path to Reactive Rendering @ RubyCon 2026, Rimini, Italy
marcoroth
1
210
Evolving SEO for Evolving Search Engines
ryanjones
0
220
Facilitating Awesome Meetings
lara
57
7k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
2k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
170
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
480
Scaling GitHub
holman
464
140k
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
1
540
What’s in a name? Adding method to the madness
productmarketing
PRO
24
4.1k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
2
870
Designing Experiences People Love
moore
143
24k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
21
1.5k
Transcript
C C L L Xavier Rubio Jansana @teknik_tdr
https://xrubio.com https://github.com/xrubioj/
S S What? Why? How SSL/TLS works MiTM Attacks Certificate
pinning 101 Security considerations
W ? W ? Network security technique
W ? W ? Avoid MiTM attacks
I I Stealing app secrets Stealing user secrets Subverting communication
(e.g. change delivery address)
H SSL/TLS H SSL/TLS
HTTPS C HTTPS C
C C
C C
C S C S Subject Public Key Info
C C
C C
Settings → Security → Trusted certificates System vs User R
CA R CA
M TM A M TM A Root CA injection CA
insuficient validation → rogue certificate Self-signed certificates → validation disabled
C C
O H O H Exception: val hostname = "*.google.com" val
certificatePinner = CertificatePinner.Builder() .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .build() val client = OkHttpClient.Builder() .certificatePinner(certificatePinner) .build() AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure! Peer certificate chain: sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com, OU=PositiveSSL sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root Pinned certificates for publicobject.com: sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= at okhttp3.CertificatePinner.check(CertificatePinner.java) at okhttp3.Connection.upgradeToTls(Connection.java) at okhttp3.Connection.connect(Connection.java) at okhttp3.Connection.connectAndSetOwner(Connection.java) afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=
A N A N AndroidManifest.xml: <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config>
<domain includeSubdomains="true">appmattus.com</domain> <pin-set> <pin digest="SHA-256">4hw5tz+scE+TW+mlai5YipDfFWn1dqvfLG+nU7tq1V8=</pin> <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin> </pin-set> </domain-config> </network-security-config> <?xml version="1.0" encoding="utf-8"?> <manifest> <application android:networkSecurityConfig="@xml/network_security_config"> <!-- ... --> </application> </manifest> android:networkSecurityConfig="@xml/network_security_config"
B B CWAC-NetSecurity With some manual work... https://github.com/commonsguy/cwac-netsecurity "Allows the
same XML configuration to be used, going back to API Level 17 (Android 4.2)"
H H Hard failure So failure
S S Hardcoded pins Accept on first access Get pins
from server → inception!
S S ⚠ Hide your secrets! See "Android security basics"
talk by Krzysztof Kocel https://www.meetup.com/Barcelona-Android- Developer-Group/events/244107028/
R R "Android Security: SSL Pinning" by Matthew Dolan Network
Security Configuration "CWAC-NetSecurity: Simplifying Secure Internet Access" by CommonsWare CertificatePinner class OkHttp documentation https://medium.com/@appmattus/android-security-ssl-pinning- 1db8acb6621e https://developer.android.com/training/articles/security-config.htm https://github.com/commonsguy/cwac-netsecurity https://square.github.io/okhttp/3.x/okhttp/okhttp3/CertificatePinne
Q ? Q ?
T ! T ! Xavier Rubio Jansana This talk is
available at: @teknik_tdr https://xrubio.com https://github.com/xrubioj/ https://xrubio.com/talks/talk-lightning-certificate-pinning/
xrubioj
geekplus_tech
seosoft
har1101
kajitack
suikabar
yug1224
handlename
akihisaikeda
contour_gara
naokihaba
blueswen
marcoroth
ryanjones
lara
honnibal
reverentgeek
holman
honzajavorek
productmarketing
tomoyanonymous
moore
sergeychernyshev
