Wednesday, September 7, 2016

Android Application Security - Using hmacSHA256 Encryption For Tamper Proof Request & Response

It was all started from SSL pinning implementation. I implemented SSL pinning in our application using 3 different method as mentioned below.However I failed to implement using all 3 mechanism for obvious reasons that there are open source tools available to bypass SSL pinning.

For android there are Justtrustme, Android-SSL-TrustKiller. In iOS there is ios-SSL-Killswitch. I posted question over stackoverflow in order to find the concrete solution for the ssl pinning. However, I ended up getting nothing. Link for the stackoverflow is mentioned below.

http://security.stackexchange.com/questions/136017/is-it-possible-to-implement-secure-ssl-pinning-implementation-for-without-server

Below are the methods I tried to implement for ssl pinning.