From f85953301872eafec674e8f6c46047650e0d14f4 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Wed, 2 Mar 2022 20:07:11 +0100 Subject: [PATCH] update certificate pinning example --- content/posts/fdroid-issues.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/posts/fdroid-issues.md b/content/posts/fdroid-issues.md index 915de08..db47a2c 100644 --- a/content/posts/fdroid-issues.md +++ b/content/posts/fdroid-issues.md @@ -89,14 +89,14 @@ As a matter of fact, the [new unattended update API](https://developer.android.c Their client also lacks **TLS certificate pinning**, unlike Play Store which does that for all connections to Google. Certificate pinning is a way for apps to increase the security of their connection to services [by providing a set of public key hashes](https://developer.android.com/training/articles/security-config#CertificatePinning) of known-good certificates for these services instead of trusting pre-installed CAs. This can avoid some cases where an interception (*man-in-the-middle* attack) could be possible and lead to various security issues considering you're trusting the app to deliver you other apps. -It is an important security feature that is also straightforward to implement using the [declarative network security configuration](https://developer.android.com/training/articles/security-config) available since Android 7.0 (API level 24). See how GrapheneOS pins both root and CA certificates in [Auditor](https://github.com/GrapheneOS/Auditor) for their attestation service: +It is an important security feature that is also straightforward to implement using the [declarative network security configuration](https://developer.android.com/training/articles/security-config) available since Android 7.0 (API level 24). See how GrapheneOS pins both root and CA certificates in their [app repository client](https://github.com/GrapheneOS/Apps): ``` - attestation.app + apps.grapheneos.org C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=