*We have followed the below steps for SSL pinning in Android*
1. Certificate pinning: Pin the certificate itself
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config>
<domain includeSubdomains="true">example.com</domain>
<trust-anchors>
<certificates src="@raw/my_ca"/>
</trust-anchors>
</domain-config>
</network-security-config>
2. We have downloaded the certificate in our res/raw folder and gave
the reference in network-security-config
3. Added the reference of network_security_config.xml to our
AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
<application
android:networkSecurityConfig="@xml/network_security_config" ... >
...
</application>
</manifest>
Now after opening the app on our android device, the entire network request
is going through *Burp suite community edition* and we can inspect each
network request easily even without SSL bypassing.
How can we prevent the communication of the APP with “Man-In-The-Middle”
even after SSL by-pass.
--
You received this message because you are subscribed to the Google Groups
"Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/android-developers/baf9946f-9b64-4d16-a4f4-754c2b4ea665n%40googlegroups.com.
