Android API Level < 24 ignore SSL Pinning #100
Description
Describe the bug
The SSL Pinning is not working on Android 6 Marshmallow but it works fine for Android N and above
To Reproduce
- Initialized and config Truskit correctly
- On the xml/network_security_config file, put some invalid certificates
- Run the app on Android 6 and Android >= 7
- The https request on Android => 7 are rejected correctly, but on Android 6 it work just tine.
Expected behavior
The request with an invalid certificates should not work on both Android 6 and => 7.
TrustKit configuration
network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system"/>
<certificates src="user" />
</trust-anchors>
</base-config>
<!-- Pin the domain example.com-->
<!-- Official Android N API -->
<domain-config>
<domain includeSubdomains="true">example.com</domain>
<pin-set>
<pin digest="SHA-256">JlgeWvslDDLd6LweqYxg4gANDQkZKDE7+ER3G/FP3BM=</pin>
<pin digest="SHA-256">jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=</pin>
</pin-set>
<trustkit-config enforcePinning="true">
</trustkit-config>
</domain-config>
</network-security-config>
MainActivity.java
@Override
protected void onCreate(Bundle savedInstanceState) {
/* Start of certificate pinning */
try {
TrustKit.initializeWithNetworkSecurityConfiguration(this);
} catch (Exception e) {
e.printStackTrace();
}
// OkHttp 3.3.x and higher
OkHttpClient client =
new OkHttpClient.Builder()
.sslSocketFactory(OkHttp3Helper.getSSLSocketFactory(), OkHttp3Helper.getTrustManager())
.addInterceptor(OkHttp3Helper.getPinningInterceptor())
.followRedirects(false)
.followSslRedirects(false)
.build();
/* End of certificate pinning */
super.onCreate(savedInstanceState);
}
App details:
- App target SDK: 30
- App language: React Native 0.66.3
- Android version to reproduce the bug Android 6 (Marshmallow)