...
Public key pinning is provided using the Android Network Security Configuration and TrustKit. To use public key pinning, you can either create an Android network security configuration XML file or set a custom TrustManager implementation. The network security configuration is supported natively on Android Nougat (API Level 24) and newerhigher. For versions between API Level 21 and 23, the Gini SDK relies on TrustKit. The custom TrustManager is supported on all Android versions. We recommend reading the Android Network Security Configuration guide and the TrustKit limitations for API Levels 21 to 23.
...
| Note |
|---|
The above digests serve as an example only. You should always create the digest yourself from the Gini API’s public key and use that one (see Extract hash from pay-api.gini.net). If you receive a digest from us, always validate it by comparing it to the digest you created from the public key (see Extract hash from public key). Failing to validate a digest may might lead to security vulnerabilities. |
...
The TrustKit configuration tag <trustkit-config> is required in order to deactivate TrustKit reporting and to enforce public key pinning. This is important because without it TrustKit doesn’t throw CertificateExceptions if the local public keys don’t match any of the remote ones, effectively deactivating pinning. The only downside of enforcing pinning is that two public key hashes are required. In the example above, we created and used a “zero” key hash as a placeholder. Setting the same key hash twice doesn’t help since because key hashes are stored in a set. Ideally, you should use a backup public key hash as the second one.
...