TechQA.

Certificate Pinning not working when trust user certificates in network security configuration

659 views Asked by At

I am learning network security configuration in Android. Here is my configuration file

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>

    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">*.xx.com</domain>
        <pin-set expiration="2031-05-01">
            <!-- these two are certificates in *.xx.com certificate chains -->
            <pin digest="SHA-256">8Rxjasdfk7jjlasdnP6sdkxnjkkqaGZfjnxkynxndA=</pin>
            <pin digest="SHA-256">K0z9yJZklpaxAjkasxYjkLsUzxdUoewxj1z3z8lNgA=</pin>
        </pin-set>
    </domain-config>
</network-security-config>

When I use Charles to capture the network traffic, urls under *.xx.com still can be loaded normally. In my thoughts, configuration <pin-set> would make connection failed since the certificates from Charles can't pass the certificate pinning validation.

If I remove <certificates src="user"/>, the certificate pinning works and urls under *.xx.com can't be loaded. I doubt trusting user certificates make certificate pinning out of work. Do I make something wrong?

android-network-security-config sslpinning
Original Q&A
1

There are 1 answers

0
xianpeng wang On BEST ANSWER

I made a mistake. The domain should be xx.com here not *.xx.com, while *.xx.com is used in OkHttp CertificatePinner.

Related Questions in ANDROID-NETWORK-SECURITY-CONFIG

Related Questions in SSLPINNING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions