CertifitacePinning: Add toggle to enable/disable
- Enabled by default - Could be useful for people using VPN based ad blockers - Option to make app usable, if at all Google's root certs gets changed/updated
This commit is contained in:
@@ -26,6 +26,7 @@ import com.aurora.store.R
|
||||
import com.aurora.store.data.model.Algorithm
|
||||
import com.aurora.store.data.model.ProxyInfo
|
||||
import com.aurora.store.util.Preferences
|
||||
import com.aurora.store.util.Preferences.PREFERENCE_CERTIFICATE_PINNING_ENABLED
|
||||
import com.aurora.store.util.Preferences.PREFERENCE_PROXY_ENABLED
|
||||
import com.aurora.store.util.Preferences.PREFERENCE_PROXY_INFO
|
||||
import com.google.gson.Gson
|
||||
@@ -34,10 +35,10 @@ import dagger.Provides
|
||||
import dagger.hilt.InstallIn
|
||||
import dagger.hilt.android.qualifiers.ApplicationContext
|
||||
import dagger.hilt.components.SingletonComponent
|
||||
import java.io.ByteArrayInputStream
|
||||
import java.io.InputStream
|
||||
import okhttp3.CertificatePinner
|
||||
import okhttp3.OkHttpClient
|
||||
import java.io.ByteArrayInputStream
|
||||
import java.io.InputStream
|
||||
import java.net.Authenticator
|
||||
import java.net.InetSocketAddress
|
||||
import java.net.PasswordAuthentication
|
||||
@@ -59,17 +60,33 @@ object OkHttpClientModule {
|
||||
|
||||
@Provides
|
||||
@Singleton
|
||||
fun providesOkHttpClientInstance(certPinner: CertificatePinner, proxy: Proxy?): OkHttpClient {
|
||||
return OkHttpClient().newBuilder()
|
||||
fun providesOkHttpClientInstance(
|
||||
@ApplicationContext context: Context,
|
||||
certPinner: CertificatePinner,
|
||||
proxy: Proxy?
|
||||
): OkHttpClient {
|
||||
val isCertPinningEnabled = Preferences.getBoolean(
|
||||
context,
|
||||
PREFERENCE_CERTIFICATE_PINNING_ENABLED,
|
||||
true
|
||||
)
|
||||
|
||||
val builder = OkHttpClient().newBuilder()
|
||||
.proxy(proxy)
|
||||
.certificatePinner(certPinner)
|
||||
.connectTimeout(25, TimeUnit.SECONDS)
|
||||
.readTimeout(25, TimeUnit.SECONDS)
|
||||
.writeTimeout(25, TimeUnit.SECONDS)
|
||||
.retryOnConnectionFailure(true)
|
||||
.followRedirects(true)
|
||||
.followSslRedirects(true)
|
||||
.build()
|
||||
|
||||
if (isCertPinningEnabled) {
|
||||
builder.certificatePinner(certPinner)
|
||||
} else {
|
||||
Log.i(TAG, "Certificate pinning is disabled")
|
||||
}
|
||||
|
||||
return builder.build()
|
||||
}
|
||||
|
||||
@Provides
|
||||
@@ -79,12 +96,21 @@ object OkHttpClientModule {
|
||||
val googleRootCerts = getGoogleRootCertHashes(context).map { "sha256/$it" }
|
||||
.toTypedArray()
|
||||
|
||||
return CertificatePinner.Builder()
|
||||
return CertificatePinner.Builder()
|
||||
.add("*.googleapis.com", *googleRootCerts)
|
||||
.add("*.google.com", *googleRootCerts)
|
||||
.add("auroraoss.com", "sha256/mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c=") // GTS Root R4
|
||||
.add("*.exodus-privacy.eu.org", "sha256/C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=") // ISRG Root X1
|
||||
.add("gitlab.com", "sha256/x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=") // USERTrust RSA Certification Authority
|
||||
.add(
|
||||
"auroraoss.com",
|
||||
"sha256/mEflZT5enoR1FuXLgYYGqnVEoZvmf9c2bVBpiOjYQ0c="
|
||||
) // GTS Root R4
|
||||
.add(
|
||||
"*.exodus-privacy.eu.org",
|
||||
"sha256/C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
|
||||
) // ISRG Root X1
|
||||
.add(
|
||||
"gitlab.com",
|
||||
"sha256/x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4="
|
||||
) // USERTrust RSA Certification Authority
|
||||
.build()
|
||||
}
|
||||
|
||||
@@ -121,7 +147,8 @@ object OkHttpClientModule {
|
||||
|
||||
private fun getGoogleRootCertHashes(context: Context): List<String> {
|
||||
return try {
|
||||
val certs = getX509Certificates(context.resources.openRawResource(R.raw.google_roots_ca))
|
||||
val certs =
|
||||
getX509Certificates(context.resources.openRawResource(R.raw.google_roots_ca))
|
||||
certs.map {
|
||||
val messageDigest = MessageDigest.getInstance(Algorithm.SHA256.value)
|
||||
messageDigest.update(it.publicKey.encoded)
|
||||
|
||||
@@ -47,6 +47,7 @@ object Preferences {
|
||||
const val PREFERENCE_PROXY_URL = "PREFERENCE_PROXY_URL"
|
||||
const val PREFERENCE_PROXY_INFO = "PREFERENCE_PROXY_INFO"
|
||||
const val PREFERENCE_PROXY_ENABLED = "PREFERENCE_PROXY_ENABLED"
|
||||
const val PREFERENCE_CERTIFICATE_PINNING_ENABLED = "PREFERENCE_CERTIFICATE_PINNING_ENABLED"
|
||||
|
||||
const val PREFERENCE_DISPENSER_URLS = "PREFERENCE_DISPENSER_URLS"
|
||||
const val PREFERENCE_VENDING_VERSION = "PREFERENCE_VENDING_VERSION"
|
||||
|
||||
@@ -31,6 +31,7 @@ import androidx.viewpager2.widget.ViewPager2.OnPageChangeCallback
|
||||
import com.aurora.Constants
|
||||
import com.aurora.extensions.areNotificationsEnabled
|
||||
import com.aurora.extensions.isIgnoringBatteryOptimizations
|
||||
import com.aurora.store.BuildConfig
|
||||
import com.aurora.store.R
|
||||
import com.aurora.store.data.helper.UpdateHelper
|
||||
import com.aurora.store.data.model.UpdateMode
|
||||
@@ -40,6 +41,7 @@ import com.aurora.store.util.CertUtil
|
||||
import com.aurora.store.util.PackageUtil
|
||||
import com.aurora.store.util.Preferences
|
||||
import com.aurora.store.util.Preferences.PREFERENCE_AUTO_DELETE
|
||||
import com.aurora.store.util.Preferences.PREFERENCE_CERTIFICATE_PINNING_ENABLED
|
||||
import com.aurora.store.util.Preferences.PREFERENCE_DEFAULT
|
||||
import com.aurora.store.util.Preferences.PREFERENCE_DEFAULT_SELECTED_TAB
|
||||
import com.aurora.store.util.Preferences.PREFERENCE_DISPENSER_URLS
|
||||
@@ -169,6 +171,7 @@ class OnboardingFragment : BaseFragment<FragmentOnboardingBinding>() {
|
||||
if (!CertUtil.isAppGalleryApp(requireContext(), requireContext().packageName)) {
|
||||
save(PREFERENCE_DISPENSER_URLS, setOf(Constants.URL_DISPENSER))
|
||||
}
|
||||
save(PREFERENCE_CERTIFICATE_PINNING_ENABLED, !BuildConfig.DEBUG)
|
||||
save(PREFERENCE_VENDING_VERSION, 0)
|
||||
|
||||
/*Customization*/
|
||||
|
||||
Reference in New Issue
Block a user