Xamarin-android: Certificate pinning using AndroidClientHandler and ServicePointManager

Created on 19 Jun 2018 · 7Comments · Source: xamarin/xamarin-android

Steps to Reproduce

Similar to this issue on Xamarin.iOS.

Configure Droid project to use AndroidClientHandler as HttpClient implementation.
Register a callback: ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => {};
Create new HttpClient: var client = new HttpClient();
Make a GET request: client.GetStringAsync("https://www.xamarin.com");

Expected Behavior

I expect the ServerCertificateValidationCallback to be called for every request, but this does not happen when using the AndroidClientHandler.

Actual Behavior

The ServerCertificateValidationCallback is not called at all when using AndroidClientHandler. When using the default HttpClientHandler, the ServerCertificateValidationCallback gets called as expected.

Version Information

=== Visual Studio Enterprise 2017 for Mac ===

Version 7.5.2 (build 40)
Installation UUID: 621e6bd4-594e-47fd-9aaa-510f440c3a87
Runtime:
Mono 5.10.1.57 (2017-12/ea8a24b1bbf) (64-bit)
GTK+ 2.24.23 (Raleigh theme)
Xamarin.Mac 4.4.1.178 (master / eeaeb7e6)

Package version: 510010057

=== NuGet ===

Version: 4.3.1.4445

=== .NET Core ===

Runtime: /usr/local/share/dotnet/dotnet
Runtime Versions:
2.0.5
2.0.0
SDK: /usr/local/share/dotnet/sdk/2.1.4/Sdks
SDK Versions:
2.1.4
2.0.0
MSBuild SDKs: /Library/Frameworks/Mono.framework/Versions/5.10.1/lib/mono/msbuild/15.0/bin/Sdks

=== Xamarin.Profiler ===

Version: 1.6.2
Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler

=== Xamarin.Android ===

Version: 8.3.3.2 (Visual Studio Enterprise)
Android SDK: /Users/gebruiker/Library/Android/sdk
Supported Android versions:
8.0 (API level 26)
8.1 (API level 27)

SDK Tools Version: 26.1.1
SDK Platform Tools Version: 27.0.1
SDK Build Tools Version: 27.0.3

Java SDK: /usr
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

=== Apple Developer Tools ===

Xcode 9.4.1 (14161)
Build 9F2000

=== Xamarin.Mac ===

Version: 4.4.1.193 (Visual Studio Enterprise)

=== Xamarin.iOS ===

Version: 11.12.0.4 (Visual Studio Enterprise)
Hash: 64fece5f
Branch: d15-7
Build date: 2018-05-29 20:00:44-0400

=== Xamarin Inspector ===

Version: 1.4.0
Hash: b3f92f9
Branch: master
Build date: Fri, 19 Jan 2018 22:00:34 GMT
Client compatibility: 1

=== Build Information ===

Release ID: 705020040
Git revision: cfe2fc0566bc4db990242959de40505a13f58352
Build date: 2018-05-30 11:24:18-04
Xamarin addins: 3ac7413ef51a88e06367313c27aec8f7292752a6
Build lane: monodevelop-lion-d15-7

=== Operating System ===

Mac OS X 10.13.4
Darwin 17.5.0 Darwin Kernel Version 17.5.0
Fri Apr 13 19:32:32 PDT 2018
root:xnu-4570.51.2~1/RELEASE_X86_64 x86_64

=== Enabled user installed addins ===

Straight8's SpecFlow Integration 1.11.1.0
Straight8's SpecFlow Intergration 1.11.0.0
Internet of Things (IoT) development (Preview) 7.5

App Runtime wontfix

Source

basdecort

Most helpful comment

@grendello can correct me, but I think there is already a way to do this with AndroidClientHandler?

Looks like Xamarin.iOS added a callback that didn't exist before, but I think you can do an equivalent with Android already?

jonathanpeppers on 23 May 2019

👍2

All 7 comments

Hi @basdecort,

Unfortunately the native http handlers do not call into the ServicePointManager APIs. This would have too much performance impact in converting the native SSL objects to .NET ones. This is the same for AndroidClientHandler and NSUrlSessionHandler on iOS.

I have a sample of SSL pinning on iOS I made a while ago: https://github.com/jonathanpeppers/Xamarin.SSLPinning

On Android, however, the APIs are a bit different. Can you try what they are doing in this article: https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin

Closing for now, as this was "by design" (sorry!). Feel free to reopen/comment if you have an issue using the native APIs.

jonathanpeppers on 20 Jun 2018

@jonathanpeppers can the Xamarin docs team maybe make a nice document on how to do this if it is by design?

Cheesebaron on 27 Jul 2018

👍1

@Cheesebaron I asked, we'll see?

jonathanpeppers on 27 Jul 2018

I just found this which might be useful until Xamarin has the necessary overloads available (I haven't tested it out yet) : https://github.com/tranb3r/secure-httpclient

Ryan-Palmer on 13 Dec 2018

This is now handled natively on ios due to https://github.com/xamarin/xamarin-macios/pull/6103 being merged. Can we open this for discussion again? So we could have native cert pinning in both platforms.