In your application, if you are talking to a web Server, how do you make sure that, you are talking the right one ?. Secure channels are the cornerstone to Applications those expect end-to-end security when sending and receiving data — especially sensitive data on channels protected by VPN, SSL, or TLS. Digital certificate or SSL certificate issued by CA(Certificate Authority), act as an identity of a Service hosted in web server. Application can use this certificate to verify identity of the Host he is trying to communicate. This certificate is exchanged during SSL handshake.

What is Certificate public key pinning ?

Associating host name to a public key which will be compared with the public key of the certificate received via SSL handshake. If both the key matches means you are talking to the right server.

Instead of pinning public key from a certificate, complete certificate can be used to verify the identity of the Host.Advantage is that,certificate is easiest to pin. You can fetch the certificate out of band for the website or you can use openssl client to fetch the certificate.

There is a downside to pinning a certificate. If the site rotates its certificate on a regular basis, then your application would need to be updated regularly. For example, Google rotates its certificates, so you will need to update your application about once a month (if it depended on Google services). Even though Google rotates its certificates, the underlying public keys (within the certificate) remain static.

This is also known as SSL pinning. It offers extra protection against man in the middle (MITM) attacks (DigiNotar), perhaps perpetrated using a compromised root certificate.

How to implement pinning in Android using Retrofit

Implement pinning in Retrofit we need two things

Host to be verified public key hash of the host

To implement pinning for api.github.com, we need public key hash from the certificate. I had used openssl to obtain the same.(There are different approach to get this,check the java doc of CertificatePinner)

the above command will give SHA256 hash of the public key. Retrofit exposes a class called CertificatePinner, using this you can bind the public key to the host. Then attach the CertificatePinner to the OkHttpClient. That’s it,we are done !!!.