Re: [guardian-dev] netcipher integrated pinning idea

[Mark Murphy]

On Mon, Mar 28, 2016, at 13:42, Hans-Christoph Steiner wrote:
> So NetCipher's ch.boye for a long time has included the ability to use a
> custom keystore.  Mark and I have been thinking that this could be a
> good approach for a form of integrated pinning in the NetCipher wrappers
> for all of the various HTTP APIs (HttpURLConnection, Apache HttpClient
> for Android, Volley, OkHTTP, etc).  The core idea would be a gradle
> plugin or script that downloads the Mozilla CA certificates collection,
> then fines the CA used by a provided HTTPS connection, then builds a
> custom keystore that only includes that specific CA's certificate from
> the Mozilla collection (turns out that Android N is including something
> very similar).

To clarify: what Android N offers is custom CA validation and
certificate pinning, baked into the framework. It does not have the
automatic generation of the credentials, leaving that up to you. Also,
it does not use keystores, but rather PEM or DER files. See:

http://developer.android.com/preview/features/security-config.html

So, there are two pieces to your proposed puzzle:

1. A Gradle plugin that generates the PEM/DER file(s) (at minimum)
necessary to lock an app down to only support certain CAs, based on the
root CA of the certificate chain for an HTTPS connection

2. A quasi-backport of the Android N network security configuration
stuff, presumably to integrate with NetCipher, where we apply the same
security configuration on Android 6.0 and older devices

Those are more-or-less independent: the plugin could be used for an app
with a minSdkVersion of N, and the backport could be used without the
plugin (e.g., for certificate pinning).

Both seem to have merit, though I think the latter one is more
important, if we can pull it off. Backwards compatibility is A Very Good
Thing for adoption, and while Google might offer their own backport of
this stuff, my guess is that they will not.

-- 
Mark Murphy (a Commons Guy)
https://commonsware.com | https://github.com/commonsguy
https://commonsware.com/blog | https://twitter.com/commonsguy
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org

[guardian-dev] netcipher integrated pinning idea

[Hans-Christoph Steiner]

So NetCipher's ch.boye for a long time has included the ability to use a
custom keystore.  Mark and I have been thinking that this could be a
good approach for a form of integrated pinning in the NetCipher wrappers
for all of the various HTTP APIs (HttpURLConnection, Apache HttpClient
for Android, Volley, OkHTTP, etc).  The core idea would be a gradle
plugin or script that downloads the Mozilla CA certificates collection,
then fines the CA used by a provided HTTPS connection, then builds a
custom keystore that only includes that specific CA's certificate from
the Mozilla collection (turns out that Android N is including something
very similar).

I'd love to hear feedback, flames, comments, etc on whether this would
be a good idea both in terms of security and easy of use.

.hc

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex=0xE9E28DEA00AA5556
___
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To unsubscribe, email:  guardian-dev-unsubscr...@lists.mayfirst.org