問題タブ [certificate-pinning]
For questions regarding programming in ECMAScript (JavaScript/JS) and its various dialects/implementations (excluding ActionScript). Note JavaScript is NOT the same as Java! Please include all relevant tags on your question; e.g., [node.js], [jquery], [json], [reactjs], [angular], [ember.js], [vue.js], [typescript], [svelte], etc.
android - Insufficient SSL certificate Pining in native android app
I have implemented Certificate Pining in one of the android app that I work on. Here are the steps followed.
- Covert .crt file to .bks file.
- Add the .bks file to asset folder in project structure.
- load the above file during api call using trustmanagerfactory.
The security auditor is saying this implementation is weak and can be easily broken using FRIDA or any other bypass tool.
Is there any better way to implement SSL pining so that the above tool cant intercept the network calls. Image of the code snippet of my current implementation
PS : Using DefaultHTTPClient for API calls.
Update : Have added public hash of certificate in network security config file and yet the tool is able to bypass.