certificate pinning for WebViews in Android 4.4

[Gabor Matuz]

Hi there,

I'm working on an Android app and as added security I'd like to use certificate pinning. For earlier version there was a hackish version with private reflection on the TrustManager but I see that now all those parts are handled by native code. Is there a way to still pin certificates in webviews?

Cheers,

Gabor

[Primiano Tucci]

-chromium-dev +chromium-discuss

I don't think WebView support overriding the TrustManager either. Also, yes, reflection speculating on the internal architecture of framework components / non public API sounds a pretty bad idea. It might work on a particular version of Android, but it might break on some others or on other devices.

It might not be exactly what you are looking for, but what about achieving something very similar to certificate pinning on the app-side with webview.getCertificate()?

Unfortunately the version of WebView in 4.4 doesn't seem to support public key pinning (HPKP) which probably would have been the best solution for what you are looking for.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

[Deepak D]

Hi all,

I am working on an Android app and I have to add pinning certificate within this app. I am using Webview for displaying website. Here I want use pinning certificate with their(website) public key.. please provide some sample code for this concept.

Thanks ,

Deepak D

[Selim Gurun]

We do not support this at the time, sorry.