{"id":13816046,"url":"https://github.com/moxie0/AndroidPinning","last_synced_at":"2025-05-15T12:31:14.038Z","repository":{"id":1982288,"uuid":"2914073","full_name":"moxie0/AndroidPinning","owner":"moxie0","description":"A standalone library project for certificate pinning on Android.","archived":false,"fork":false,"pushed_at":"2015-08-20T13:31:42.000Z","size":433,"stargazers_count":619,"open_issues_count":16,"forks_count":114,"subscribers_count":37,"default_branch":"master","last_synced_at":"2024-11-19T12:49:41.926Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/moxie0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2011-12-05T03:24:09.000Z","updated_at":"2024-11-18T14:37:05.000Z","dependencies_parsed_at":"2022-08-09T04:18:46.171Z","dependency_job_id":null,"html_url":"https://github.com/moxie0/AndroidPinning","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moxie0%2FAndroidPinning","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moxie0%2FAndroidPinning/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moxie0%2FAndroidPinning/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moxie0%2FAndroidPinning/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/moxie0","download_url":"https://codeload.github.com/moxie0/AndroidPinning/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254341030,"owners_count":22054968,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T05:00:31.703Z","updated_at":"2025-05-15T12:31:13.581Z","avatar_url":"https://github.com/moxie0.png","language":"Java","funding_links":[],"categories":["Java","Libs","Awesome Mobile Application Penetration Testing  ![awesome](https://awesome.re/badge.svg)"],"sub_categories":["\u003cA NAME=\"Widget\"\u003e\u003c/A\u003eWidget","Android Application Penetration Testing"],"readme":"Android Pinning\n=================\n\nAndroidPinning is a standalone Android library project that facilitates certificate pinning for SSL\nconnections from Android apps, in order to minimize dependence on Certificate Authorities.\n\nCA signatures are necessary for *general purpose* network communication tools: things like web\nbrowsers, which connect to arbitrary network endpoints and have no advance knowledge of what the SSL\ncertificates for those endpoint should look like.\n\nMost mobile apps are not *general purpose* communication tools.  Instead, they typically connect\ndirectly to a narrow set of backend services that the app's author either controls, or can\npredict ahead of time.\n\nThis creates an opportunity for app developers to sidestep the security problems inherent with\nCertificate Authorities.  The best way is to throw CA certificates out the window entirely by\nsigning your own endpoint certificates with your own offline signing certificate, which you then\ndistribute with your app.  See [this blog post](http://thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/)\nfor examples of the no-CA technique.\n\nSometimes, however, that's not possible, and you need to continue using CA certificates for one\nreason or another.  Perhaps the API endpoint is shared with a web browser's endpoint, for instance.\n\nIn that case, it's necessary to employ \"pinning,\" which is simply the act of verifying that the\ncertificate chain looks the way you know it should, even if it's signed by a CA.  This prevents\n*other* CAs from being able to effectively create forged certificates for your domain, as with the\nmany Comodo breaches, the DigiNotar breach, and the TurkTrust breach.\n\nThis library is designed to make pinning easier on Android.  It's structured as an Android library\nproject, so you can simply link it to your own project and begin.\n\nUsing AndroidPinning\n-----------\n\nIf you're using gradle to build your project, you can include the AndroidPinning artifact by\nadding a dependency:\n\n```\n   dependencies {\n       compile 'org.thoughtcrime.ssl.pinning:AndroidPinning:1.0.0'\n   }\n```\n\nExamples\n-----------\n\nUsing a simple `HttpsURLConnection` with a `PinningTrustManager`:\n\n```java\n// Define an array of pins.  One of these must be present\n// in the certificate chain you receive.  A pin is a hex-encoded\n// hash of a X.509 certificate's SubjectPublicKeyInfo. A pin can\n// be generated using the provided pin.py script:\n// python ./tools/pin.py certificate_file.pem\nString[] pins                 = new String[] {\"f30012bbc18c231ac1a44b788e410ce754182513\"};\nURL url                       = new URL(\"https://www.google.com\");\nHttpsURLConnection connection = PinningHelper.getPinnedHttpsURLConnection(context, pins, url);\n\nreturn connection.getInputStream();\n```\n\nUsing a simple `HttpClient` with a `PinningTrustManager`:\n\n```java\nString[] pins         = new String[] {\"f30012bbc18c231ac1a44b788e410ce754182513\"};\nHttpClient httpClient = PinningHelper.getPinnedHttpClient(context, pins);\n\nHttpResponse response = httpClient.execute(new HttpGet(\"https://www.google.com/\"));\n```\n\nIt's also possible to work with `PinningTrustManager` and `PinningSSLSocketFactory` more directly:\n\n```java\nString[] pins                 = new String[] {\"40c5401d6f8cbaf08b00edefb1ee87d005b3b9cd\"};\nSchemeRegistry schemeRegistry = new SchemeRegistry();\nschemeRegistry.register(new Scheme(\"http\", PlainSocketFactory.getSocketFactory(), 80));\nschemeRegistry.register(new Scheme(\"https\", new PinningSSLSocketFactory(getContext() ,pins, 0), 443));\n\nHttpParams httpParams                     = new BasicHttpParams();\nClientConnectionManager connectionManager = new ThreadSafeClientConnManager(httpParams, schemeRegistry);\nDefaultHttpClient httpClient              = new DefaultHttpClient(connectionManager, httpParams);\n\nHttpResponse response = httpClient.execute(new HttpGet(\"https://www.google.com/\"));\n```\n\nIssues\n-----------\n\nHave a bug? Please create an issue here on GitHub!\n\nhttps://github.com/moxie0/AndroidPinning/issues\n\nLicense\n---------------------\n\nCopyright 2011-2013 Moxie Marlinspike\n\nLicensed under the GPLv3: http://www.gnu.org/licenses/gpl-3.0.html\n\nPlease contact me if this license doesn't work for you.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoxie0%2FAndroidPinning","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmoxie0%2FAndroidPinning","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoxie0%2FAndroidPinning/lists"}