certificate transparency

Matthieu Gicquel · Matthieu Gicquel · commit 98da5f8dc3d1 · 2023-11-30T15:59:44.000+01:00
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 <p align="center">Easily implement usual security measures in React Native Expo apps</p>
 
 - [SSL public key pinning](#ssl-pinning)
-- [🚧 Certificate transparency](#certificate-transparency)
+- [Certificate transparency](#certificate-transparency)
 - [🚧 "Recent screenshots" prevention](#recent-screenshots-prevention)
 
 > **⚠️ Disclaimer**<br/>
@@ -84,7 +84,14 @@ To test that SSL pinning is working as expected, you can:
 
 ## Certificate transparency
 
-TODO
+> **🥷 What's the threat?** Compromised certificate authorities. [More details](https://certificate.transparency.dev)
+
+- On iOS, [certificate transparency is enabled by default](https://developer.apple.com/documentation/ios-ipados-release-notes/ios-12_1_1-release-notes) since _iOS 12.1.1_
+- On Android, this package enables it using [appmatus/certificatetransparency](https://github.com/appmattus/certificatetransparency) for _Android >= 8.0_
+
+### Configuration
+
+None, enabled by default.
 
 ## "Recent screenshots" prevention
 
diff --git a/android/build.gradle b/android/build.gradle
@@ -92,4 +92,5 @@ dependencies {
 
   // package-specific dependencies
   implementation("com.facebook.react:react-native:+")
+  implementation("com.appmattus.certificatetransparency:certificatetransparency-android:2.5+") // using `+` because minors are mostly automated updates of logs_list
 }
diff --git a/android/src/main/java/tech/bam/rnas/HttpClientOverride.kt b/android/src/main/java/tech/bam/rnas/HttpClientOverride.kt
@@ -1,17 +1,24 @@
 package tech.bam.rnas
 
+import android.os.Build
 import com.facebook.react.modules.network.OkHttpClientFactory;
 import com.facebook.react.modules.network.OkHttpClientProvider;
 
 import okhttp3.CertificatePinner;
 import okhttp3.OkHttpClient;
 
+import com.appmattus.certificatetransparency.CTInterceptorBuilder
+
 import org.json.JSONObject
 
 public class SSLPinning : OkHttpClientFactory {
   override fun createNewNetworkModuleClient(): OkHttpClient {
     val config = parseConfig()
 
+    val clientBuilder = OkHttpClientProvider.createClientBuilder()
+
+    // -- SSL pinning --
+
     val certificatePinnerBuilder = CertificatePinner.Builder()
 
     for((hostName, certificates) in config) {
@@ -21,13 +28,19 @@ public class SSLPinning : OkHttpClientFactory {
       }
     }
 
-    val certificatePinner = certificatePinnerBuilder.build()
+    clientBuilder.certificatePinner(certificatePinnerBuilder.build())
 
-    val clientBuilder = OkHttpClientProvider.createClientBuilder()
+    // -- Certificate Transparency --
+
+    /*
+     * The library for certificate transparency does not support Android sdk version < 26 (Android 8.0) without setting up "desugaring"
+     * See more : https://github.com/appmattus/certificatetransparency#getting-started
+     */
+    if (Build.VERSION.SDK_INT >= 26) {
+      clientBuilder.addNetworkInterceptor(CTInterceptorBuilder().build())
+    }
 
-    return clientBuilder
-      .certificatePinner(certificatePinner)
-      .build()
+    return clientBuilder.build()
   }
 
 }
@@ -48,5 +61,5 @@ fun parseConfig() : Map<String, List<String>> {
       resultMap[key] = valuesList
   }
 
-  return resultMap // Map<String, List<String>>
+  return resultMap
 }

Original file line number	Diff line number	Diff line change
`@@ -92,4 +92,5 @@ dependencies {`
`92`	`92`
`93`	`93`	`// package-specific dependencies`
`94`	`94`	`implementation("com.facebook.react:react-native:+")`
	`95`	+ implementation("com.appmattus.certificatetransparency:certificatetransparency-android:2.5+") // using `+` because minors are mostly automated updates of logs_list
`95`	`96`	`}`