Network Libraries and WebViews
Network Libraries and WebViews
Applications that use third-party networking libraries may utilize the libraries' certificate pinning functionality. For example, okhttp can be set up with the CertificatePinner as follows:
OkHttpClient client = new OkHttpClient.Builder() .certificatePinner(new CertificatePinner.Builder() .add("example.com", "sha256/UwQAapahrjCOjYI3oLUx5AQxPBR02Jz6/E2pt0IeLXA=") .build()) .build();
Applications that use a WebView component may utilize the WebViewClient's event handler for some kind of "certificate pinning" of each request before the target resource is loaded. The following code shows an example verification:
WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.setWebViewClient(new WebViewClient(){ private String expectedIssuerDN = "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US;"; @Override public void onLoadResource(WebView view, String url) { //From Android API documentation about "WebView.getCertificate()": //Gets the SSL certificate for the main top-level page //or null if there is no certificate (the site is not secure). // //Available information on SslCertificate class are "Issuer DN", "Subject DN" and validity date helpers SslCertificate serverCert = view.getCertificate(); if(serverCert != null){ //apply either certificate or public key pinning comparison here //Throw exception to cancel resource loading... } } } });
Alternatively, it is better to use an OkHttpClient with configured pins and let it act as a proxy overriding shouldInterceptRequest of the WebViewClient.