datatheorem / TrustKit-Android

Easy SSL pinning validation and reporting for Android.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Android API Level < 24 ignore SSL Pinning

josera21 opened this issue · comments

Describe the bug
The SSL Pinning is not working on Android 6 Marshmallow but it works fine for Android N and above

To Reproduce

  1. Initialized and config Truskit correctly
  2. On the xml/network_security_config file, put some invalid certificates
  3. Run the app on Android 6 and Android >= 7
  4. The https request on Android => 7 are rejected correctly, but on Android 6 it work just tine.

Expected behavior
The request with an invalid certificates should not work on both Android 6 and => 7.

TrustKit configuration

<?xml version="1.0" encoding="utf-8"?>
  <base-config cleartextTrafficPermitted="true">
      <certificates src="system"/>
      <certificates src="user" />
  <!-- Pin the domain>
  <!-- Official Android N API -->
    <domain includeSubdomains="true"></domain>
      <pin digest="SHA-256">JlgeWvslDDLd6LweqYxg4gANDQkZKDE7+ER3G/FP3BM=</pin>
      <pin digest="SHA-256">jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=</pin>
    <trustkit-config enforcePinning="true">

  protected void onCreate(Bundle savedInstanceState) {
    /* Start of certificate pinning */
    try {
    } catch (Exception e) {

    // OkHttp 3.3.x and higher
    OkHttpClient client =
            new OkHttpClient.Builder()
                    .sslSocketFactory(OkHttp3Helper.getSSLSocketFactory(), OkHttp3Helper.getTrustManager())
    /* End of certificate pinning */

App details:

  • App target SDK: 30
  • App language: React Native 0.66.3
  • Android version to reproduce the bug Android 6 (Marshmallow)