I was watching Google I/O 2012's Security and Privacy in Android Apps. At around 37:55, Kenny Root talks about certificate pinning and tells us to visit the docs for HttpsUrlConnection
to see how to use a pinset.
Unfortunately my Google-fu is off again, and I can't seem to locate the example (locally or on the web). Searching for "httpsurlconnection pinset example" returned 0 hits. Would anyone happen to have a link or example of using HttpsUrlConnection
with a pinset?
For those who do not pin, pinning is a whitelist of expected server certifcates (possibly thumbprints). It remediates a lot of infrastructure issues created by carriers, telcos, handset OEMs, CAs, subordinate CA certifcates (including proxies), ISPs, and DNS providers.
Jeff
Visit the Android documentation on HttpsURLConnection and read the section entitled "Providing an application specific X509TrustManager" for the sample code.
Note you'll have to make a Keystore file containing your certificates. You can do this with the "keytool" command that ships with the JDK:
keytool -import -trustcacerts -alias myca -file myca.crt -keystore myca.jks