hcaptcha-android-sdk icon indicating copy to clipboard operation
hcaptcha-android-sdk copied to clipboard

Published 20 hours ago verified publisher icon hCaptcha

Android SSL-certificate pinning

Open CAMOBAP opened this issue 3 years ago • 2 comments

Looks like no third-party libraries need, ~this can be achieved by a single config https://developer.android.com/training/articles/security-config#CertificatePinning~

Upd. We need to be able to update certs: https://github.com/wultra/ssl-pinning-android allow dynamic SSL pinning

CAMOBAP avatar May 11 '22 21:05 CAMOBAP

This would have the same issue as any naive pin: you can get stuck on an old cert. Their suggestion to expire pins after time X is laughable.

Check out the same source used for the iOS pinning for Android details.

e271828- avatar May 11 '22 23:05 e271828-

This would have the same issue as any naive pin: you can get stuck on an old cert. Their suggestion to expire pins after time X is laughable.

Check out the same source used for the iOS pinning for Android details.

It's much safer and reliable to pin the root cert instead. Almost the same level of peace of mind, without having to stay ahead of the ever shorter expiry dates. Android permits you to specify certain root(s) is/are trusted for a domain.

androidacy-user avatar Aug 15 '24 02:08 androidacy-user