I’m currently in the process of designing and implementing a quick prototype for potential a business customer of my application. This application will be an Android application.
A requirement that was discussed recently was the security of the application connection to backendless.com. In order to accomplish this, I was thinking of using SSL Certificate pinning on the client side.
Does the current Android SDK support this and if not can this be implemented so I can perform SSL Cert. pinning as part of the validation process?
I am not that proficient with SSL, but my understanding of the SSL pinning is when you tell the client to trust only specific certificate. Am I close?
If that’s the case, you’d be able to do it by telling the client to trust only the cert which is deployed on our server. The SSL handshake between an Android client and the Backendless servers is handled within Java/Android - we do not have any custom code. That means to answer your question (and assuming I got the “pinning” concept right), it would be possible if Java/Android allow you to do that.
Yes, your understanding of SSL certificate pinning is correct. I envisioned that there could be another Login API added that would have an additional parameter for the SSL Certificate public key (Base64 encoded) of the certificate that will be validated against the certificate that is returned by the Backendless server. The additional Login API could be something like the following:
public void Backendless.UserService.login( String login, String password, String pinnedPubKey, AsyncCallback<BackendlessUser> callback );
You’re welcome to fork the SDK repository and add the method you need ))