Certificate pinning
Certificate Pinning Deep Dive¶
Overview¶
Certificate pinning roots trust in specific server certificates, preventing MITM attacks via compromised CAs.
Core Concepts¶
CertificatePinner pins SHA-256 hashes of certificates:
CertificatePinner.Builder()
.add("example.com", "sha256/AAAA...")
.add("*.example.com", "sha256/BBBB...")
.build()
Code Examples¶
val pinner = CertificatePinner.Builder()
.add("api.example.com", "sha256/47DEQpj8HBSa...")
.build()
val httpClient = OkHttp.Builder()
.certificatePinner(pinner)
.build()
Senior-Level Insights¶
- Pin multiple hashes for failover
- Update hashes when certificates rotate
- Handle pin failures gracefully (log, but allow optional bypass for dev)