[guardian-dev] netcipher integrated pinning idea

Mark Murphy mmurphy at commonsware.com
Mon Mar 28 13:59:18 EDT 2016


On Mon, Mar 28, 2016, at 13:42, Hans-Christoph Steiner wrote:
> So NetCipher's ch.boye for a long time has included the ability to use a
> custom keystore.  Mark and I have been thinking that this could be a
> good approach for a form of integrated pinning in the NetCipher wrappers
> for all of the various HTTP APIs (HttpURLConnection, Apache HttpClient
> for Android, Volley, OkHTTP, etc).  The core idea would be a gradle
> plugin or script that downloads the Mozilla CA certificates collection,
> then fines the CA used by a provided HTTPS connection, then builds a
> custom keystore that only includes that specific CA's certificate from
> the Mozilla collection (turns out that Android N is including something
> very similar).

To clarify: what Android N offers is custom CA validation and
certificate pinning, baked into the framework. It does not have the
automatic generation of the credentials, leaving that up to you. Also,
it does not use keystores, but rather PEM or DER files. See:

http://developer.android.com/preview/features/security-config.html

So, there are two pieces to your proposed puzzle:

1. A Gradle plugin that generates the PEM/DER file(s) (at minimum)
necessary to lock an app down to only support certain CAs, based on the
root CA of the certificate chain for an HTTPS connection

2. A quasi-backport of the Android N network security configuration
stuff, presumably to integrate with NetCipher, where we apply the same
security configuration on Android 6.0 and older devices

Those are more-or-less independent: the plugin could be used for an app
with a minSdkVersion of N, and the backport could be used without the
plugin (e.g., for certificate pinning).

Both seem to have merit, though I think the latter one is more
important, if we can pull it off. Backwards compatibility is A Very Good
Thing for adoption, and while Google might offer their own backport of
this stuff, my guess is that they will not.

-- 
Mark Murphy (a Commons Guy)
https://commonsware.com | https://github.com/commonsguy
https://commonsware.com/blog | https://twitter.com/commonsguy


More information about the guardian-dev mailing list