Seeing as SHA-1 is currently being deprecated by Google as well as most CAs due to collision weaknesses, I think it's wise to upgrade the pins to SHA-256, especially as this library is used by many security-conscious applications.

Some libraries like Google's Volley allow constructing HTTP clients with custom SSLSocketFactory's, so instead of copy pasting some SSLSocketFactory construction boiler-plate code, I thought I'd try to DRY things up by creating this helper method.

Noticed that this is a library but the published license is GPL vs. LGPL. But that makes it unusable in commercial software or even many/most free mobile apps because GPL mandates the entire application be GPL in order to use GPL libraries. https://www.gnu.org/licenses/gpl-faq.html#IfLibraryIsGPL

Any possibility to change the license to LGPL to ensure contributions to the code remain public and free, but that the implementation can be used broadly?

Running lint shows no dependencies on minSDKVersion 8. Lowering the minSDK to 5 allows bundling this library with a greater number of applications.

Specifically the maintainers of the Fdroid client were hesitant to merge a pull req I wrote to bundle AndroidPinning because their client has a minSDK of 5 versus the AndroidPinning minSDK of 8.

Thanks! Big fan of the library <3

Hi my friend,

I'm currently working on Android projects and I think AndroidPinning is a good fit for my situation.

However the current license (GPLv3) prevents me to use AndroidPinning on anything, but only on fully opensource + GPL'd Android apps. Would it be possible to change AndroidPinning's license to a lesser restrictive one like BSD, MIT, ALv2, EPL…?

It seems that Android 4.0.3 uses a different system trust store. As a result, code that works on 2.x fails on 4.0.

root@android:/ # ls /system/etc/security cacerts otacerts.zip

root@android:/ # ls /system/etc/security/cacerts 00673b5b.0 03e16f6c.0 08aef7bb.0 ...

02-15 13:31:54.437: E/AndroidRuntime(824): java.lang.AssertionError: java.io.FileNotFoundException: /system/etc/security/cacerts.bks: open failed: ENOENT (No such file or directory) 02-15 13:31:54.437: E/AndroidRuntime(824): at org.thoughtcrime.ssl.pinning.PinningTrustManager$SystemKeyStore.getTrustStore(PinningTrustManager.java:246) 02-15 13:31:54.437: E/AndroidRuntime(824): at org.thoughtcrime.ssl.pinning.PinningTrustManager$SystemKeyStore.getPkixParameters(PinningTrustManager.java:209) 02-15 13:31:54.437: E/AndroidRuntime(824): at org.thoughtcrime.ssl.pinning.PinningTrustManager$SystemKeyStore.(PinningTrustManager.java:185) 02-15 13:31:54.437: E/AndroidRuntime(824): at org.thoughtcrime.ssl.pinning.PinningTrustManager.(PinningTrustManager.java:102) ...

The readme sample using google pins doesn't validate for me. Looking through stackoverflow I found the following shell script which uses openssl to obtain the certificate of a server:

#!/bin/sh
# Based on http://blog.crazybob.org/2010/02/android-trusting-ssl-certificates.html

SERVER=www.google.com:443
echo | openssl s_client -connect ${SERVER} 2>&1 | \
     sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.pem &&
     cat mycert.pem &&
     echo "Generated pem file"

Running this generates a file which used with the pin.py tool outputs:

Calculating PIN for certificate: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
Pin Value: 6a42217ac7419912ff661867525e5a059a526325

However when I paste the pin value into the readme HttpsURLConnection sample I get an exception javax.net.ssl.SSLHandshakeException: No valid pins found in chain!. Which seems to indicate I'm not getting correctly the certificate. How should I retrieve the cert from google and other public websites?

I imported the project in android application. I get the following error in the build.gradle:

Error:(54, 0) No such property: sonatypeRepo for class: org.gradle.api.publication.maven.internal.ant.DefaultGroovyMavenDeployer

I was playing around with trying to add this as a library project to a gradle based Android app I'm making and was running into some errors. I eventually stumbled upon this line: https://github.com/moxie0/AndroidPinning/blob/master/build.gradle#L27

Changing the name of the source set 'aild' to 'aidl' made some of my problems go away, but is that custom source set location necessary? I don't see any use of aidl in the app. Same with renderscript and assets.

My name is Davy Yue, and I am the Founder + CEO of LifeEverlasting, an innovative technology enabling a user to interact with anyone from history. See our pitch slide deck below, and note the one-minute promotional video on the second slide: ​ https://docs.google.com/presentation/d/1OMQ7LMTXqql0Jy1pdslMyeANcjQWcaTch-0zHBjVFzc/edit?usp=sharing ​ My team and I at LifeEverlasting are currently looking for seed & angel investors, as well as venture capitalists to fund our development process as we push for the first-ever beta release date May 18th, 2018 at 3:00 pm CST as well as the second beta date in the slide deck. We are also looking to work with security professionals, since a significant amount of data would be collected to fuel the neural network and machine-learning process.

I would love to schedule a video or phone call with you to discuss further your possible involvement in LifeEverlasting, an innovative startup breaking new ground in helping establish people's long-living legacy after their physical passing.

Please let me know what you think. Looking forward to talking soon!

Best,

Davy Yue

https://github.com/moxie0/AndroidPinning/blob/master/src/org/thoughtcrime/ssl/pinning/PinningTrustManager.java#L176

The chain you get is the chain given by the peer = web server. It can contain any number of certificates that have nothing to do with the trust chain created internally by checkSystemTrust().

CertificateChainCleaner.java tries to fix that but it does not validate any signatures. So adding invalid certificates can create a second trust chain to circumvent the pinning.

checkPinTrust() returns true if the parameter contains any certificate that matches the pin. By attaching any trusted, correctly pinned certificate to the TLS-response the entire pinning can be circumvented.

See https://www.cigital.com/blog/ineffective-certificate-pinning-implementations/ for a more detailed explanation of your security flaw.

Noticed there is code to read certificates from raw folder. Is the file a single bks file with multiple aliases? Any chance for an example of how to use?

Allow the caller to specify which domain(s?) a pin should apply to. This would allow pinning to be set process-wide using HttpsURLConnection.setDefaultSSLSocketFactory() so that all HttpsURLConnections made by the app, including third-party libraries, could be pinned at the caller's request.

I am trying to do cert pinning for SHA2 cert on my server. My app stopped working as the server got upgraded with SHA2 and I am trying to use this library but keeps getting SSL javax.net.ssl.SSLPeerUnverifiedException: No peer certificate at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)

Any idea?

AndroidPinning relies on Apache framework: https://github.com/moxie0/AndroidPinning/blob/master/src/org/thoughtcrime/ssl/pinning/util/PinningHelper.java#L58-L62

Which got deprecated in API 22 (Android 5.1): https://developer.android.com/about/versions/android-5.1.html#http http://developer.android.com/reference/org/apache/http/params/HttpParams.html

This makes org.thoughtcrime.ssl.pinning.util.PinningHelper.getPinnedHttpClient() deprecated.