On Mon, Mar 28, 2016, at 13:42, Hans-Christoph Steiner wrote: > So NetCipher's ch.boye for a long time has included the ability to use a > custom keystore. Mark and I have been thinking that this could be a > good approach for a form of integrated pinning in the NetCipher wrappers > for all of the various HTTP APIs (HttpURLConnection, Apache HttpClient > for Android, Volley, OkHTTP, etc). The core idea would be a gradle > plugin or script that downloads the Mozilla CA certificates collection, > then fines the CA used by a provided HTTPS connection, then builds a > custom keystore that only includes that specific CA's certificate from > the Mozilla collection (turns out that Android N is including something > very similar).
To clarify: what Android N offers is custom CA validation and certificate pinning, baked into the framework. It does not have the automatic generation of the credentials, leaving that up to you. Also, it does not use keystores, but rather PEM or DER files. See: http://developer.android.com/preview/features/security-config.html So, there are two pieces to your proposed puzzle: 1. A Gradle plugin that generates the PEM/DER file(s) (at minimum) necessary to lock an app down to only support certain CAs, based on the root CA of the certificate chain for an HTTPS connection 2. A quasi-backport of the Android N network security configuration stuff, presumably to integrate with NetCipher, where we apply the same security configuration on Android 6.0 and older devices Those are more-or-less independent: the plugin could be used for an app with a minSdkVersion of N, and the backport could be used without the plugin (e.g., for certificate pinning). Both seem to have merit, though I think the latter one is more important, if we can pull it off. Backwards compatibility is A Very Good Thing for adoption, and while Google might offer their own backport of this stuff, my guess is that they will not. -- Mark Murphy (a Commons Guy) https://commonsware.com | https://github.com/commonsguy https://commonsware.com/blog | https://twitter.com/commonsguy _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: guardian-dev-unsubscr...@lists.mayfirst.org