Feature request: Option not to trust system CAs (certificate pinning)
-
Hi,
First of all thanks for the great app, ownCloud with DAVdroid is great!
I have noticed that app developers are starting to add a user option into their apps which gives the option not to trust any of the pre-installed, system-wide certificate authorities - Instead the app will only trust a specific, accepted certificate.
This functionality is relevant to DAVdroid because ownCloud it is meant to be a private, personal cloud solution so there is a very good argument for clients only trusting a personal, private certificate.
The Conversations app is an example of where this has been implemented:
https://play.google.com/store/apps/details?id=eu.siacs.conversations&hl=enHere is an Android library project which may be useful:
https://github.com/moxie0/AndroidPinningAnd here's an explanation (provided by the developer of the above library) as to why it's really quite an important feature:
http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/Hope this feature can be added to (the otherwise fantastic) DAVdroid!
(I think it may also help to get around the many certificate problems people seem to have with DAVdroid)
-
Hello,
Thanks for your suggestion. While I don't think it makes sense to not trust system-wide CAs on app level (if you distrust those CAs, wouldn't they have to be removed/disabled in the system so that they can't do any harm in other apps, too?), I certainly support that certificate pinning would be a good thing.