SSL-Pinning-Android
๐๐ This project will show the implementation of SSL pinning with public key of the server certificate using retrofit okhttp client.
Overview
Github Api has been used to show the ssl pinning. Its a simple user info api which will show user name.After clicking the button github api will be called and it will fetch user data.
Explanation
CertificatePinner
object with hash pin and host name
Create
OkHttpClient
with CertificatePinner
object
Create
OkHttpClient
with Retrofit
Add
Install Openssl
Mac OS
- Run this command on terminal
brew install openssl
Windows
https://thesecmaster.com/procedure-to-install-openssl-on-the-windows-platform/
How to Extract Public Key/Hash from .cer/.crt file
1st Approach
- First download the server certificate and save the file in a folder
- run this command on that folder
openssl x509 -in your_cerficate.cer -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
2nd Appraoch
- Give a wrong hash in retrofit
- Hit github api then in logcat correct hash pin will be shown. Copy the first hash and use it for pinning
3rd Appraoch
- Run this command
openssl s_client -connect www.yourdomain.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Resources
https://tech.groww.in/ssl-pinning-in-android-part-2-b591dfc8c2f1 https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning https://mailapurvpandey.medium.com/ssl-pinning-in-android-90dddfa3e051#:~:text=Public%20Key%20Pinning,-Public%20key%20pinning&text=In%20this%20approach%2C%20we%20generate,throw%20a%20SSL%20certificate%20error.