I want to use SSL Pinning in volley network library. Is there any way to implement SSL pinning with volley? Does volley provide this support for security improvements?
SSL Pinning with Volley network library on Android
Asked Answered
Did you find anything? –
Laterite
Is the main purpose of this is to prevent MITM? If the attacker can reverse compile the APK and extract the cert, what is it really preventing? –
Belenbelesprit
@TakeshiKaga I don' t think you are quite right. Extracting public key from app won't help you perform MITM attack since you need private key. For better understanding, check how TLS works. What you can do is recompile app and change key but it makes vulnerable only your build. –
Atlantean
I just implemented it like described here: http://blog.ostorlab.co/2016/05/ssl-pinning-in-android-networking.html
Here is the needed code for a volley-implementation:
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// Generate the certificate using the certificate file under res/raw/cert.cer
InputStream caInput = new BufferedInputStream(getResources().openRawResource(R.raw.cert));
Certificate ca = cf.generateCertificate(caInput);
caInput.close();
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore trusted = KeyStore.getInstance(keyStoreType);
trusted.load(null, null);
trusted.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(trusted);
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
SSLSocketFactory sf = context.getSocketFactory();
mRequestQueue = Volley.newRequestQueue(mCtx.getApplicationContext(), new HurlStack(null, sf));
Seems to work!
It works for the first/second time, shows SSLHandshake Exception. However, doesn't work when you re-try, you will successfully get the network response. –
Max
@Max have you found any solution for SSL pinning with volley? –
Junna
I just looked into the same thing for a project I am working on. The position I am in may be different to you however.
I am using Volley with an OKHttp Network stack (https://gist.github.com/JakeWharton/5616899):
Add these to your Gradle Build:1
compile "com.squareup.okhttp:okhttp:2.7.5"
compile "com.squareup.okhttp:okhttp-urlconnection:2.7.5"
Add a OKHttpStack class;
public class OKHttpStack extends HurlStack {
private final OkUrlFactory okUrlFactory;
public OKHttpStack() {
this(new OkUrlFactory(
new OkHttpClient.Builder()
.certificatePinner(
new CertificatePinner.Builder()
.add("example.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=") //This is the cert
.build())
.build();
));
}
public OKHttpStack(OkUrlFactory okUrlFactory) {
if (okUrlFactory == null) {
throw new NullPointerException("Client must not be null.");
}
this.okUrlFactory = okUrlFactory;
}
@Override
protected HttpURLConnection createConnection(URL url) throws IOException {
return okUrlFactory.open(url);
}
}
When you then create your RequestQueue do something like:
Network network = new BasicNetwork(new OKHttpStack());
File cacheDir = new File(context.getCacheDir(), "volley");
int threads = 4;
mRequestQueue = new RequestQueue(new DiskBasedCache(cacheDir), network, threads);
Please note I have yet to test this, we are thinking about pinning at the moment.
Good luck! Gav
References:
https://gist.github.com/JakeWharton/5616899 https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/CertificatePinning.java
Thank you man, you solution saved me. I had to implement ssl pinning on android ver below 24 and we have two libraries in our app, Volley and Ksoap. I was getting no help from anywhere, even trustkit was not working. Then i came across your sol and took the HurlStack part. And pinning was available with volley in a jiffy. What i don't understand is this, i create a okhttp client, added a certificate pinner to it, then has this code mRequestQueue = Volley.newRequestQueue(context, new HurlStack(null, okClien.sslSocketFactory), the app ran smoothly but ssl pinning was nt working, do you know why? –
Moidore
When you create your instance of the Request Queue (mRequestQueue) you are passing it a
new HurlStack and not your custom OKHttpStack. Try switching out the instantiation of the Request queue with something like mRequestQueue = Volley.newRequestQueue(context, new OKHttpStack(...)); –
Grass ok, didn't knew that we can instantiate a volley request with okhttpStack. Was limited by my knowledge in this section. We try this whenever i will face this kind of thing again. Thanks :) –
Moidore
okUrlFactory.open is not available now so the app crashes. Any solution for this? –
Mayce
You can use public key pinning instead of certificate pinning:
The problem with HPKP is the app will be vulnerable the first time it connects to the webservice. If an attacker can do a MitM in that moment, client can be pinned with a wrong certificate for a very long time. This will not happen if you pin the connection using traditional certificate pinning. –
Wholehearted
I am implementing the same exact thing. I found a blog post that will hopefully be of help to you
http://ogrelab.ikratko.com/using-android-volley-with-self-signed-certificate/
I tried this but there is a problem. I download the sample code and just change the website url with "google.com" and it doesn't give any error connects to google.com and gets data. Did you see that? –
Cinque
I tried test certificate file and my own certificate but result is same. –
Cinque
You can use network_security_config.xml, more info : https://developer.android.com/training/articles/security-config
© 2022 - 2024 — McMap. All rights reserved.