Storing keystore password for certificate pinning in Android

回眸只為那壹抹淺笑 提交于 2019-12-23 04:32:43

问题


I've recently started to learn about security in Android apps and wanted to implement certificate-pinning. Found some useful information by googling around but I stumbled upon storing the keystore password which contains the server certificate.

As I can't trust the Android filesystem to keep my keystore password secret, mainly because any rooted user would be able to dig it out eventually, I'm starting to wonder whether if it is really needed to securily store this keystore password or not, because this keystore will only contain my server's SSL certificate, which is intended to be public.

I can't think about any malicious attack if somebody could decompile my APK and see the keystore password, as the attacker wouldn't be able to modify any of the app's code and thus change, for example, the targeted server IP or even modify the keystore switching my certificate with some other malicious cert which, in combination with the changes the attacker could made on the targeted IP, would make the app work targeting any malicious server (man-in-the-middle-attack).

I found a quite good example of certificate pinning in Android here on github, but sadly the author doesn't bother with storing the passsword securely, as it is hardcoded at the MainActivity.

So my summed up question would be: Is it really needed to protect a keystore password if that keystore only has inside an intended public SSL server certificate?

From the research I did, I found that on this question the OP addresses the posibility of passing null as the password on the Android code. Maybe I could go with this and store the keystore password at my server instead of packing it up inside the Android app.


Also during my googling I found quite useful articles that might be interesting for anybody looking into this question in the future:

  • Certificate-Pinning in Android explained easy
  • Securely storing info in Android
  • Android Keystore for storing keys (WARNING any rooted user can dig out info stored here)

Progress update - Passing null as the keystore password (as I mentioned above as one of the options) if you've set one when generating it will result in keystore bypass: requests get sent anyway and custom keystore does nothing. No exception is thrown or anything, it just works as if you didn't set any custom keystore.

 KeyStore trustStore = KeyStore.getInstance("BKS");
 trustStore.load(keyStoreInputStreamFromResources, null);

来源:https://stackoverflow.com/questions/43891059/storing-keystore-password-for-certificate-pinning-in-android

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!