Skip to content
This repository has been archived by the owner on Nov 16, 2020. It is now read-only.

Certificate pinning? #11

Open
kreativmonkey opened this issue Apr 19, 2020 · 3 comments
Open

Certificate pinning? #11

kreativmonkey opened this issue Apr 19, 2020 · 3 comments
Assignees
@assert-not-singularity
Labels
devops Developer operations: CI, deployment etc. security

Comments

@kreativmonkey
Copy link
Member

Certificate pinning: We currently rely on android to verify the server tls certificate. This can in theory allow mitm-attacks!
@ChristianRomberg
Copy link
Member

Just a link on how this can be done: https://www.netguru.com/codestories/3-ways-how-to-implement-certificate-pinning-on-android

@haveyaseen haveyaseen added the devops Developer operations: CI, deployment etc. label Apr 22, 2020
@assert-not-singularity
Copy link
Member

assert-not-singularity commented Apr 30, 2020
edited

FYI: Currently I'm struggling to get the app running in my development environment but as soon as I'm able to deploy code to my device, I'm going to try the second solution, the implementation using OkHttp.

Reasons:

  • The code says right now //TODO use a more sophisticated library and OkHttp seems to be a solid solution for that
  • Network Security Configuration requires at least Android 7.0 or API level 24 which would lock out the app from being used on older smartphones (6.x seems to have a market share of > 10 %, still)

@haveyaseen
Copy link
Member

@assert-not-singularity OkHttp would also enable us to go through a proxy server for up- and downloading TCNs (#27). I say go for it, definitely.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@assert-not-singularity assert-not-singularity

Labels
devops Developer operations: CI, deployment etc. security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@haveyaseen @kreativmonkey @ChristianRomberg @assert-not-singularity