androidsecuritysslnetwork-programmingcertificate-pinning

Android network security configuration: what is the difference between limiting the set of trusted CAs and certificate pinning?


There are two ways to reduce the risk of trusting public CAs in Android apps: limiting the trusted set of certificates or implementing certificate pinning. It is quite straight forward to implement the two solutions with the help of the network_security_config file (see: Android docs). But I would like to understand more the difference between the two mechanisms? I assume, that limiting the set of trusted CAs is basically certificate pinning and using the hash for pinning is basically key pinning. Is that correct? Then I could consider the pro and cons described here, to decide for one or another.

See also OWASPs guide about certificate pinning.


Solution

  • Thanks @bmaciejm to confirm my assumption that limiting set of trusted pins is certificate pinning and using hashes is key pinning. Which means, that I can consider the pros and cons described here.