One of the most important things in mobile development is secure communication, especially between the app and its backend server. Currently, the most common architecture of web services is REST based on HTTP. The best protection method for this model of communication is the TLS/SSL standard. It can be combined with HTTP protocol to create its encrypted version called HTTPs. HTTPs ensures safe, encrypted communication channels between client apps and the backend server. Moreover, implementation of this security feature is very simple on Android. You just need to watch out for common pitfalls.
SolutionTo avoid this exploit, developers should implement Certificate Pinning. It’s a method that depends on server certificate verification on client side. This verification requires the server certificate or its fingerprint to be previously known to the mobile app. When establishing a connection with the server, the app should compare the fingerprint with a certificate from the remote server. If the fingerprints are identical, then the connection is valid and the data transfer can proceed. If the fingerprints are not equal, then the app should reject the connection immediately, as it’s compromised. The following 3 methods are the most popular ways to implement Certificate Pinning in Android apps.
You can add multiple fingerprints for different domains. Multiple fingerprints will also make your app more flexible. You can add all fingerprints from certification path. You can also add additional certificates when the old ones are going to be outdated soon. Fingerprints can be retrieved directly from the certificate. You can also import the certificate file to the resources like in TrustManager case. This time you need to manually write a class that will extract the fingerprint from the file. You can also use Peer certificate extractor to do that for you.