SSL pinning at android client side for google cloud endpoints APIs

[baqir rizvi]

I want to protect my google cloud endpoint APIs from man in the middle attack using SSL Pinning through OKHTTP CertificatePinner. Before I proceed, I have few questions in my mind:

(hostname is "bla...@appspot.com")

1. does google changes its server certificate along with CA certificates i.e. renewing certificate time to time?
2. does google notify us that its going to renew the certificate.?
3. do we also require to update the pinned certificate at the client side whenever google changes its certificates.?
4. what is the best way to achieve that or any other suggestion is welcome

[Yannick (Cloud Platform Support)]

Hello Baqir,

Google frequently rotates leaf certificates and keys, and our intermediate and root may change at any time without notice. 

If you wish to pin against a service that’s running on Google’s infrastructure, you must be serving with your own certificates. Once you are pinning against keys that you control, we may advise you that pinning is complex and dangerous, but you can fundamentally do what you choose. 

In your situation, you can set up your own custom domain and use your own certficates for your Google App Engine application. As per the relevant Endpoints documentation, you should be able to use that custom domain in place of appspot.com for your Endpoint.

I hope this helps.