Certificate Pinning in OkHttp vs Android Network Security Config

Question

I'm trying out certificate pinning in my app, and I see that I can do it using OkHttp directly, or through Android Network Security Config.

Two practical differences I can think of are:

1. OkHttp method is supported below Android 7
2. Android Network Security Config method applies even when not using OkHttp

Are there any others?

Answer 1

The Programmatically Approach

OkHttp method is supported below Android 7

Yes it his but programming yourself a such important piece of security software is not an easy task and you can easily shoot yourself on the foot, even when you are well versed in security and certificate pinning.

If you really need to support certificate pinning below Android API 24 then I would recommend you to use TrustKit:

TrustKit Android is an open source library that makes it easy to deploy SSL public key pinning and reporting in any Android App.

The Configuration Approach

Android Network Security Config method applies even when not using OkHttp

This is one of its main advantages alongside the fact that is not prone to programmatic errors, only configuration errors, like not correctly extract the public key pin for the domain being pinned and/or having typos on it.

Fortunately we have now an online free tool to help us prevent such errors. The Mobile Certificate Pinning Generator will give us a ready to use network_security_config.xml file for the domain(s) we want to pin in our mobile app.

For example:

Now you just need to copy paste the file into your project and the tool even as a step by step tutorial to show us how to do it correctly.

You can also use the tool to get the pins to use in TrustKit :)

Answer 2

With Android Network Security Config support "it is possible to set an expiration time for pins after which pinning is not performed". But ultimately as OkHttp is a programmatic API you can configure it any way that you want.

But a reminder to discuss and plan with your security team how you apply pinning, so you pin against a certificate policy they follow. You don't want to lock users out if the the security team need to re-issue certificates or change providers or switch to a backup.