Certificate Pinning
Use Certificate Pinning to enhance server identity trust in mobile apps, establishing a secure connection and mitigating man-in-the-middle risks.
In this guide, we'll walk you through the process of SSL pinning on Android, focusing on the generation of a certificate public hash key and its integration into the Android Network Security Configuration.
1. In the OpenSSL command line tool, enter the following command to generate the .der file. Make sure to replace your-server with the one you want to generate.
openssl s_client -connect your-server.com:443 -showcerts < /dev/null | openssl x509 -outform der > server_cert.der
2. After generating the certificate, create a public key in a pem file. Replace the name server_cert with the name generated in step 1.
openssl x509 -inform der -in server_cert.der -pubkey -noout > server_cert_public_key.pem
3. Now you need to hash the certificate with a hashing algorithm. In the example below, we use SHA256 to hash our key. Replace the server_cert_public_key.pem name with the one you provided.
cat server_cert_public_key.pem | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
4. To insert the public hash key into Android network security configuration, open your AndroidManifest.xml file and add the following <network-security-config> block within the <application> element:
<application>
<!-- ... -->
<meta-data
android:name="android.security.net.config"
android:resource="@xml/network_security_config" />
<!-- ... -->
</application>
5. Create a new XML file (for example, network_security_config.xml) in the res/xml directory with the following content:
<network-security-config>
<domain-config>
<domain includeSubdomains="true">faceapi.regulaforensics.com</domain>
<pin-set>
<pin digest="SHA-256">/5RKFaPkCjAzvsEZHOlYqncYADaLIG5VfTmhsBbkaBk=</pin>
</pin-set>
</domain-config>
</network-security-config>
Insert the obtained public hash key as the value of the <pin> element.
6. To test SSL pinning, intentionally change a character in the pin value to make it invalid. When making a request, the system should detect the incorrect pin and terminate the liveness assessment process.
In this guide, we'll walk you through the process of SSL pinning, focusing on the generation and integration of a certificate public hash key.
1. Open your terminal and enter the following command to generate the .cer file. Replace your-server with your desired server.
openssl s_client -connect your-server.com:443 -showcerts < /dev/null | openssl x509 -outform der > server_cert.cer
2. After generating the certificate, create a public key in a .pem file. Replace the name server_cert with the one generated in step 1.
openssl x509 -inform der -in server_cert.cer -pubkey -noout > server_cert_public_key.pem
3. Hash the certificate with a hashing algorithm. In the example below, we use SHA256 to hash our key. Replace the server_cert_public_key.pem name with your provided name.
cat server_cert_public_key.pem | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
4. To integrate the public hash key into iOS, open your Xcode project and update target Info.plist so it includes the NSPinnedDomains section in the NSAppTransportSecurity settings:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSPinnedDomains</key>
<dict>
<key>your-server.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSPinnedLeafIdentities</key>
<array>
<dict>
<key>SPKI-SHA256-BASE64</key>
<string>r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=</string>
</dict>
</array>
</dict>
</dict>
</dict>
Replace your-server.com with your actual server domain.
Replace SHA-256 hash key in the NSPinnedLeafIdentities array with generated one.
5. To test SSL pinning, intentionally change a character in the public hash key value to make it invalid. When making a request, the system should detect the incorrect pin and terminate the liveness assessment process.