In using Certification pinning development is saying that no 3rd party will be trusted with the https certificate, instead it will be stored on the device. If i reverse engineer an android apk, would i not have access to this certificate ? I realize its public but i could use it to do man in the middle attacks, correct ? Where should i put the certificate so that no one can access it ? I have *.cer certificate file located in resources folder in android but need to know how secure it will be there.
问问题
123 次
1 回答
0
The certificate is not secret, so don't worry about someone reverse engineering your certificate. To pin the certificate, simply embed your server's cert into your app. Then at runtime, when the server sends you it's cert, compare it to the one you embedded to ensure they are the same. Do this in addition to all the usually SSL/TLS verification.
于 2015-12-04T04:25:27.850 回答