API communication is insecure

[fortuna]

The app does not check the certificate fingerprint when making requests to an Outline server, which is a significant security issue that allows for interception.

outline/app/src/main/java/org/sirekanyan/outline/api/OutlineApi.kt

Line 28 in a1c9dea

engine { https.trustManager = InsecureTrustManager } // TODO: remove insecure http

At a minimum, the app should properly validate services with domain names, and warn the user about the lack of validation on self-signed certificates.

[sirekanian]

Thank you for your issue, I apologize for the long response. Secure communication with servers was added in this commit d1940fb (app version v0.1.15 or higher).

The user can optionally disable the secure connection with a server by clicking on the corresponding checkbox.

I'd like to take this issue a step further and implement verification of self-signed certificates. @fortuna, could you tell me please what certSha256 is in json that is used for installation?

{
  "apiUrl": "...",
  "certSha256": "..."
}

Is this the server's certificate fingerprint? I tried to implement SSL Pinning using OkHttp, but I have a suspicion that certSha256 is some other internal thing related specifically to Outline or Outline Manager. Is it so?

CertificatePinner certificatePinner = new CertificatePinner.Builder()
    .add("api.example.com", "sha256/<fingerprint-of-server-certificate>")
    .build();