Android Security: Certificate Transparency

Matthew Dolan
8 min readMay 20, 2019

To protect our apps from man-in-the-middle attacks one of the first things that usually springs to mind is certificate pinning. Indeed, in early 2017 I published an article that discusses implementing SSL Pinning on Android.

At the time little did I know that in late 2017 Google were to announce that Chrome 68 would deprecate support for HTTP public key pinning (HPKP). Chrome 68 was released on 24 July 2018.

The issues of certificate pinning are numerous. Firstly deciding on a reliable set of keys to pin against is tough. Once you made that decision if your expectations don’t match reality your users suffer from not being able to access your app or website. Smashing Magazine learnt about this the hard way in late 2016 when they blocked users access for up to a year because of a mismatch between the pins and the certificates. On mobile fixing an invalid pin means pushing out a new version of an app which can still take a while to reach every user.

But pinning is terrible — and harms the ecosystem more than helps, as we’ve seen. It was a bad thing to standardize — Ryan Sleevi (Chromium developer)

So with certificate pinning falling out of favour, what should you do? The new kid in town is certificate transparency.

If you don’t like reading watch my talk:

What is Certificate Transparency?

Certificate Transparency helps eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates. —

Matthew Dolan

Matt Dolan has been eating doughnuts and developing with Android since the dark days of v1.6.