Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android API Level < 24 ignore SSL Pinning #100

Open
josera21 opened this issue Mar 18, 2022 · 0 comments
Open

Android API Level < 24 ignore SSL Pinning #100

josera21 opened this issue Mar 18, 2022 · 0 comments

Comments

@josera21
Copy link

Describe the bug
The SSL Pinning is not working on Android 6 Marshmallow but it works fine for Android N and above

To Reproduce

  1. Initialized and config Truskit correctly
  2. On the xml/network_security_config file, put some invalid certificates
  3. Run the app on Android 6 and Android >= 7
  4. The https request on Android => 7 are rejected correctly, but on Android 6 it work just tine.

Expected behavior
The request with an invalid certificates should not work on both Android 6 and => 7.

TrustKit configuration
network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config cleartextTrafficPermitted="true">
    <trust-anchors>
      <certificates src="system"/>
      <certificates src="user" />
    </trust-anchors>
  </base-config>
  <!-- Pin the domain example.com-->
  <!-- Official Android N API -->
  <domain-config>
    <domain includeSubdomains="true">example.com</domain>
    <pin-set>
      <pin digest="SHA-256">JlgeWvslDDLd6LweqYxg4gANDQkZKDE7+ER3G/FP3BM=</pin>
      <pin digest="SHA-256">jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=</pin>
    </pin-set>
    <trustkit-config enforcePinning="true">
    </trustkit-config>
  </domain-config>
</network-security-config>

MainActivity.java

@Override
  protected void onCreate(Bundle savedInstanceState) {
    /* Start of certificate pinning */
    try {
      TrustKit.initializeWithNetworkSecurityConfiguration(this);
    } catch (Exception e) {
      e.printStackTrace();
    }

    // OkHttp 3.3.x and higher
    OkHttpClient client =
            new OkHttpClient.Builder()
                    .sslSocketFactory(OkHttp3Helper.getSSLSocketFactory(), OkHttp3Helper.getTrustManager())
                    .addInterceptor(OkHttp3Helper.getPinningInterceptor())
                    .followRedirects(false)
                    .followSslRedirects(false)
                    .build();
    /* End of certificate pinning */
    super.onCreate(savedInstanceState);
  }

App details:

  • App target SDK: 30
  • App language: React Native 0.66.3
  • Android version to reproduce the bug Android 6 (Marshmallow)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@josera21