Vulnerability in OkHttp’s Certificate Pinner

We fixed a bug that could have been used to defeat certificate pinning

Written by Jesse Wilson.

Security researcher John Kozyrakis from Cigital recently discovered a vulnerability in OkHttp’s CertificatePinner. He responsibly disclosed the issue to us via Square’s open source bug bounty program at HackerOne.

After feeling just a little bit embarrassed, I implemented a fix and released it as OkHttp 3.2.0. We also backported the fix to OkHttp 2.7.5. If you’re using OkHttp in your application, please upgrade to the latest release.

For a complete explanation of the problem, its origins, and consequences, see John’s post. Security is a difficult problem, and we Squares take it very seriously. We’ll continue to work hard to keep our code secure! Jesse Wilson *Android and jokes.*