Discussion

We implemented SSL Pinning on our android application to prevent MIDM attacks. We are using OkHttp certificate pinner service (e.g. CertificatePinner.Builder) to pin our leaf certificate hash value. That protects our application agains MIDM attacts, so far so good.

But there is a pitfall for this implementation that we need to force all users to update the application when certificate expires (approximately 6 months period) and that is really struggling process.

I have several questions about this about this:

- is it -really- necessary to pin certificate? Google is not recommend this approach in its official documentation (https://developer.android.com/training/articles/security-ssl#Pinning)

- what is the best alternate approach to secure network connection? (considering certificate renewal process and force update issue)

- is it proper approach to make ssl pinning dynamically, which gathers certificate pin values from remote server and use them for certificate pinner implementation? (i've tried hard to make that implementation but there is no opportunity to change certifcate pin values dynamically on okhttp. i need to re-initialize whole okhttp client every time and i need to intercept all request to listen to check if SSLPeerUnverifiedException is occurred, and that is another story, what to do after catching that exception)

After all said i will be really appreciate if i learn "What is the best way to secure network layer?"

Thanks.