What is Certificate Pinning and how its work in Android .

We are living in a world, where every tech product considered itself a Mobile product and communication between mobile and Server should be secure ,there are many ways to provide a secure channel between Mobile and server but still the attacker want to be one step ahead . So to provide security a double check mechanism was introduced named Certificate pinning.

Most of us think that the communication on HTTS provide the secure channel to communicate between mobile and server but fact is different from it.

Mobile Apps does not have any certificate it just rely on the certificate issue by server  now a third party comes in the picture name man in middle(intruder) and it generates a fake certificate and that fake certificate can be used to intercept the secure communication and now middle man need a node means point from where the communication can intercept Wifi can give her/him that node because app does not verify whether that certificate is issue by server of some man in middle.

So to resolve this issue a Concept of Certificate pinning introduced in Which the certificate issued by server validated in Mobile Apps .In which the copy of certificate or fingerprint is stored in app locally and when the communication starts it compare the server certificate and the locally stored certificate or fingerprint if comparison successful then its ok Otherwise a warning message should be thrown.

You can get the Pins from the certificate ,there are many ways to get pins from certificate .

 Example of Certificate Pinning in  OKHttp client

val SSlCERTIFICATE_PINS: Array<String> = arrayOf("sha256/soipiv1taOudc4/2ZPMIPC0ikkSgxjahskahsaksha=")

 OkHttpClient.Builder builder = new OkHttpClient().newBuilder(); builder.connectTimeout(4, TimeUnit.MINUTES).readTimeout(4, TimeUnit.MINUTES); builder.certificatePinner(new CertificatePinner.Builder()        .add(www.myexample1.com", SSlCERTIFICATE_PINS)        .build()); okHttpClient = builder.build();

  Here we have register the certificate pins at time of Ok Http client object creations, You can add multiple certificates with different domains .

 private boolean certificateExpired=true;

Call call = client.newCall(Request);

Respons  okhttpresponse = call.execute();

 if (okhttpresponse.isSuccessful()) {    if (okhttpresponse.handshake() != null) {

for (java.security.cert.Certificate certificate : okhttpresponse.handshake().peerCertificates()) {    if (SSlCERTIFICATE_PINS.contains(CertificatePinner.pin(certificate))) {        certificateExpired = false;        break;    } else {        certificateExpired = true;    }     }

  }

}

After handshake completed now we get the Pins from the api response and verify that the API response pins match with our local pin if matches its  ok other wise we would show an error message .

On thing keep we should keep in our mind that when ever the server certificate expired or changed we have to update app local certificate and Publish app