Open CAMOBAP opened 2 years ago
e271828-
commented
2 years ago This would have the same issue as any naive pin: you can get stuck on an old cert. Their suggestion to expire pins after time X is laughable.
Check out the same source used for the iOS pinning for Android details.
androidacy-user
commented
3 months ago This would have the same issue as any naive pin: you can get stuck on an old cert. Their suggestion to expire pins after time X is laughable.
Check out the same source used for the iOS pinning for Android details.
It's much safer and reliable to pin the root cert instead. Almost the same level of peace of mind, without having to stay ahead of the ever shorter expiry dates. Android permits you to specify certain root(s) is/are trusted for a domain.
Looks like no third-party libraries need, ~this can be achieved by a single config https://developer.android.com/training/articles/security-config#CertificatePinning~
Upd. We need to be able to update certs: https://github.com/wultra/ssl-pinning-android allow dynamic SSL pinning