Vulnerability in OkHttp’s Certificate Pinner
We fixed a bug that could have been used to defeat certificate pinning
Written by Jesse Wilson.
Security researcher John Kozyrakis from Cigital recently discovered a vulnerability in OkHttp’s CertificatePinner. He responsibly disclosed the issue to us via Square’s open source bug bounty program at HackerOne.
After feeling just a little bit embarrassed, I implemented a fix and released it as OkHttp 3.2.0. We also backported the fix to OkHttp 2.7.5. If you’re using OkHttp in your application, please upgrade to the latest release.
For a complete explanation of the problem, its origins, and consequences, see John’s post. Security is a difficult problem, and we Squares take it very seriously. We’ll continue to work hard to keep our code secure! Jesse Wilson Android and jokes.medium.com