Feature request: Option not to trust system CAs (certificate pinning)



  • Hi,

    First of all thanks for the great app, ownCloud with DAVdroid is great!

    I have noticed that app developers are starting to add a user option into their apps which gives the option not to trust any of the pre-installed, system-wide certificate authorities - Instead the app will only trust a specific, accepted certificate.

    This functionality is relevant to DAVdroid because ownCloud it is meant to be a private, personal cloud solution so there is a very good argument for clients only trusting a personal, private certificate.

    The Conversations app is an example of where this has been implemented:
    https://play.google.com/store/apps/details?id=eu.siacs.conversations&hl=en

    Here is an Android library project which may be useful:
    https://github.com/moxie0/AndroidPinning

    And here's an explanation (provided by the developer of the above library) as to why it's really quite an important feature:
    http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/

    Hope this feature can be added to (the otherwise fantastic) DAVdroid!

    (I think it may also help to get around the many certificate problems people seem to have with DAVdroid)


  • developer

    Hello,

    Thanks for your suggestion. While I don't think it makes sense to not trust system-wide CAs on app level (if you distrust those CAs, wouldn't they have to be removed/disabled in the system so that they can't do any harm in other apps, too?), I certainly support that certificate pinning would be a good thing.


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.