React native SSL pinning works but PinningFailureReportBroadcastReceiver is not fired/called

[satheeshwaran]

Describe the bug On React native after adding the network_security_config the requests are blocked when the PIN doesn't match which is fine but we are not able to get the broadcast of the PIN failure for reporting it to Crashlytics etc.

To Reproduce Launch the app. Connect to the service. Network error is received and the API call fails. No broadcast happens.

Expected behavior The broadcast should be fired.

TrustKit configuration

implementation 'com.datatheorem.android.trustkit:trustkit:1.1.3'

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">xxxx.xxx-xxx-xxx.com</domain>
        <pin-set>
            <pin digest="SHA-256">fdsgfdw343wtrbvdfbggdfgd54545345353=</pin>
            <pin digest="SHA-256">fdsgfdw343wtrbvdfbggdfgd54545345353=</pin>
        </pin-set>
        <trustkit-config enforcePinning="true"></trustkit-config>
    </domain-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">xxx-xxxx-xxx.xxx.xxxxx</domain>
        <pin-set>
            <pin digest="SHA-256">fdsgfdw343wtrbvdfbggdfgd54545345353==</pin>
            <pin digest="SHA-256">fdsgfdw343wtrbvdfbggdfgd54545345353==</pin>
        </pin-set>
        <trustkit-config enforcePinning="false"></trustkit-config>
    </domain-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">10.0.2.2</domain>
        <domain includeSubdomains="true">localhost</domain>
    </domain-config>
</network-security-config>

App details:

• App target SDK: 29
• App language: React native, Android, Axios
• Android version to reproduce the bug: Android 29 Emulator

Additional context MainActivity.java

  private static final PinningFailureReportBroadcastReceiver pinningFailureReportBroadcastReceiver
          = new PinningFailureReportBroadcastReceiver();

  @Override
  protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    TrustKit.initializeWithNetworkSecurityConfiguration(this);
    LocalBroadcastManager.getInstance(this)
            .registerReceiver(pinningFailureReportBroadcastReceiver, new IntentFilter(BackgroundReporter.REPORT_VALIDATION_EVENT));

  @Override
  protected void onDestroy() {
    LocalBroadcastManager.getInstance(getApplicationContext())
            .unregisterReceiver(pinningFailureReportBroadcastReceiver);
    super.onDestroy();
  }

And within MainActivity.java

  static class PinningFailureReportBroadcastReceiver extends BroadcastReceiver {
    @Override
    public void onReceive(Context context, Intent intent) {
      PinningFailureReport report = (PinningFailureReport) intent.getSerializableExtra(BackgroundReporter.EXTRA_REPORT);
      Log.v(TAG, "Received PinningFailureReport " + report.toString());
    }
  }

At this point, I am not sure whether TrustKit is doing the PIN rejection of is it the OS doing it by default.

[nadishan]

Found a solution?

[thuongtv-vn]

I got the same issue. May we missing some config?

[thuongtv-vn]

In my opinion, when we set network security config then android system validate by itself. Thus TrustKit did not validate connection except if we are using a HttpConnection or Okhttp connection instance. Then the event may be fired.