Android-Certificate pinning vs public key pinning

Question

I am trying to understand how certificate pinning and public key are done. After reading different blog I got more confused about the concept and due to which I am adding this question.I want to know 1.How to implement certificate pinning with an example

2.How to implement public key pinning with example

Answer 1

1.How to implement certificate pinning with an example

In my opinion you shouldn't follow this approach because you need to harcoded the certificates inside the mobile app binary, therefore requiring that each time they are renewed a new version of the mobile needs to be released with some antecedence that will support both certificates and will need to force all users to upgrade. After all users have upgraded you will need to release another version of the mobile app to remove the old certificates.

2.How to implement public key pinning with example

The best approach here is to use the Mobile Certificate Pinning Generator online tool that will create the proper network security config file to add to the Android app.

I recommend you to read the section Preventing MitM Attacks in this answer I gave to another question where you will learn how to implement static certificate pinning and how to bypass it:

The easiest and quick way you can go about implementing static certificate pinning in a mobile app is by using the [Mobile Certificate Pinning Generator](Mobile Certificate Pinning Generator) that accepts a list of domains you want to pin against and generates for you the correct certificate pinning configurations to use on Android and iOS.

Give it a list of domains to pin:

And the tool generates for you the Android configuration:

The tool even as instructions how to go about adding the configurations to your mobile app, that you can find below the certificate pinning configuration box. They also provide an hands on example Pin Test App for Android and for iOS that are a step by step tutorial.

This approach will not require a release of a new mobile app each time the certificate is renewed with the same public key.

Answer 2

Certificate or public key pining is just a "whitelist" of excepted connection certificate information so that you can confirm who you connected to is what you expect to be connected to. Basically it can detect man in the middle situations.

Check out as a good general overview.

The only difference between certificate pinning and public key pinning is what data you are checking against in your whitelist. Since the certificate contains the public key you can think of the certificate being a superset of the data being checked. What you check will determine how strict you want to be to detecting minor certificate "changes".

There are also many ways to implement pinning as outlined in the above link. It's just comes down to what you decide to check against and how you store it in a whitelist. Since you are talking about Android, the link above mentions a Android recommended way so you may like to look into that.

Another implementation you may like to look at is the Mozilla pining implementation which is pinning the public key with a whitelist of sha256 hash of the public key stored in hex form.

Update: As mentioned by @Robert, certificate pinning should be done in addition to standard certificate chain checking. It should not replace the standard certificate chain checking, specially when pining at the root / intermediate certificate level.

Pinning root or intermediate pining can make it less secure but more resilient to certificate changes. Usage of this type of setup depends on why you are using certificate pinning and if you can update your client whitelist easily or not. These are security trade offs you make based on your specific situation.