feat: cert pinning (#2124)

app/src/main/kotlin/com/wire/android/di/KaliumConfigsModule.kt

@@ -49,14 +49,8 @@ class KaliumConfigsModule {
         }
 
         return KaliumConfigs(
-            isChangeEmailEnabled = BuildConfig.ALLOW_CHANGE_OF_EMAIL,
-            isLoggingEnabled = BuildConfig.LOGGING_ENABLED,
-            blacklistHost = BuildConfig.DEFAULT_BACKEND_URL_BLACKLIST,
             fileRestrictionState = fileRestriction,
             forceConstantBitrateCalls = BuildConfig.FORCE_CONSTANT_BITRATE_CALLS,
-            developerFeaturesEnabled = BuildConfig.DEVELOPER_FEATURES_ENABLED,
-            enableBlacklist = BuildConfig.ENABLE_BLACKLIST,
-            maxAccount = BuildConfig.MAX_ACCOUNTS,
             // we use upsert, available from SQL3.24, which is supported from Android API30, so for older APIs we have to use SQLCipher
             shouldEncryptData = !BuildConfig.DEBUG || Build.VERSION.SDK_INT < Build.VERSION_CODES.R,
             lowerKeyPackageLimits = BuildConfig.PRIVATE_BUILD,
@@ -69,7 +63,8 @@ class KaliumConfigsModule {
             wipeOnCookieInvalid = BuildConfig.WIPE_ON_COOKIE_INVALID,
             wipeOnDeviceRemoval = BuildConfig.WIPE_ON_DEVICE_REMOVAL,
             wipeOnRootedDevice = BuildConfig.WIPE_ON_ROOTED_DEVICE,
-            isWebSocketEnabledByDefault = isWebsocketEnabledByDefault(context)
+            isWebSocketEnabledByDefault = isWebsocketEnabledByDefault(context),
+            certPinningConfig = BuildConfig.CERTIFICATE_PINNING_CONFIG
         )
     }
 }

app/src/main/kotlin/com/wire/android/ui/userprofile/self/SelfUserProfileViewModel.kt

@@ -25,6 +25,7 @@ import androidx.compose.runtime.mutableStateOf
 import androidx.compose.runtime.setValue
 import androidx.lifecycle.ViewModel
 import androidx.lifecycle.viewModelScope
+import com.wire.android.BuildConfig
 import com.wire.android.appLogger
 import com.wire.android.datastore.UserDataStore
 import com.wire.android.di.AuthServerConfigProvider
@@ -56,7 +57,6 @@ import com.wire.kalium.logic.feature.user.IsReadOnlyAccountUseCase
 import com.wire.kalium.logic.feature.user.ObserveValidAccountsUseCase
 import com.wire.kalium.logic.feature.user.SelfServerConfigUseCase
 import com.wire.kalium.logic.feature.user.UpdateSelfAvailabilityStatusUseCase
-import com.wire.kalium.logic.featureFlags.KaliumConfigs
 import dagger.hilt.android.lifecycle.HiltViewModel
 import kotlinx.coroutines.flow.SharingStarted
 import kotlinx.coroutines.flow.StateFlow
@@ -85,7 +85,6 @@ class SelfUserProfileViewModel @Inject constructor(
     private val wireSessionImageLoader: WireSessionImageLoader,
     private val authServerConfigProvider: AuthServerConfigProvider,
     private val selfServerLinks: SelfServerConfigUseCase,
-    private val kaliumConfigs: KaliumConfigs,
     private val otherAccountMapper: OtherAccountMapper,
     private val observeEstablishedCalls: ObserveEstablishedCallsUseCase,
     private val accountSwitch: AccountSwitchUseCase,
@@ -228,7 +227,7 @@ class SelfUserProfileViewModel @Inject constructor(
     fun tryToInitAddingAccount(onSucceeded: () -> Unit) {
         viewModelScope.launch {
             // the total number of accounts is otherAccounts + 1 for the current account
-            val canAddNewAccounts: Boolean = (userProfileState.otherAccounts.size + 1) < kaliumConfigs.maxAccount
+            val canAddNewAccounts: Boolean = (userProfileState.otherAccounts.size + 1) < BuildConfig.MAX_ACCOUNTS
 
             if (!canAddNewAccounts) {
                 userProfileState = userProfileState.copy(maxAccountsReached = true)

buildSrc/src/main/kotlin/customization/FeatureConfigs.kt

@@ -22,6 +22,7 @@ enum class ConfigType(val type: String) {
     STRING("String"),
     BOOLEAN("Boolean"),
     INT("int"),
+    MapOfStringToListOfStrings("java.util.HashMap<String, java.util.List<String>>")
 }
 
 enum class FeatureConfigs(val value: String, val configType: ConfigType) {
@@ -88,6 +89,7 @@ enum class FeatureConfigs(val value: String, val configType: ConfigType) {
     DEFAULT_BACKEND_URL_BLACKLIST("default_backend_url_blacklist", ConfigType.STRING),
     DEFAULT_BACKEND_URL_WEBSITE("default_backend_url_website", ConfigType.STRING),
     DEFAULT_BACKEND_TITLE("default_backend_title", ConfigType.STRING),
-    // TODO: Add support for default proxy configs
 
+    CERTIFICATE_PINNING_CONFIG("cert_pinning_config", ConfigType.MapOfStringToListOfStrings),
+    // TODO: Add support for default proxy configs
 }

buildSrc/src/main/kotlin/scripts/variants.gradle.kts

@@ -23,7 +23,6 @@ package scripts
 import com.android.build.api.dsl.ApplicationProductFlavor
 import com.android.build.api.dsl.ProductFlavor
 import customization.ConfigType
-import customization.Customization
 import customization.Customization.getBuildtimeConfiguration
 import customization.FeatureConfigs
 import customization.FeatureFlags
@@ -185,14 +184,30 @@ android {
                     )
                 }
 
-                ConfigType.INT, ConfigType.BOOLEAN -> {
+                ConfigType.INT,
+                ConfigType.BOOLEAN -> {
                     buildNonStringConfig(
                         flavor,
                         configs.configType.type,
                         configs.name,
                         flavorMap[flavor.name]?.get(configs.value).toString()
                     )
                 }
+
+                ConfigType.MapOfStringToListOfStrings -> {
+                    val map = flavorMap[flavor.name]?.get(configs.value) as? Map<*, *>
+                    val mapString = map?.map { (key, value) ->
+                        "\"$key\", java.util.Arrays.asList(${(value as? List<*>)?.joinToString { "\"$it\"" } ?: ""})".let {
+                            "put($it);"
+                        }
+                    }?.joinToString(",\n") ?: ""
+                    buildNonStringConfig(
+                        flavor,
+                        configs.configType.type,
+                        configs.name,
+                        "new java.util.HashMap<String, java.util.List<String>>() {{\n$mapString\n}}"
+                    )
+                }
             }
         }
     }

default.json

@@ -6,7 +6,15 @@
             "logging_enabled": false,
             "application_is_private_build": false,
             "development_api_enabled": false,
-            "mls_support_enabled": false
+            "mls_support_enabled": false,
+            "cert_pinning_config": {
+                "sha256/fnBeCwh0imI9t46Onid49IwvsB5vcf7RCvafRRdCyRE=": [
+                    "**.prod-nginz-https.wire.com",
+                    "**.prod-nginz-ssl.wire.com",
+                    "**.prod-assets.wire.com",
+                    "clientblacklist.wire.com"
+                ]
+            }
         },
         "dev": {
             "application_id": "com.waz.zclient.dev",
@@ -65,40 +73,35 @@
     },
     "application_name": "Wire",
     "allow_sso_authentication_option": true,
-
     "url_support": "https://support.wire.com",
-    "allow_account_creation" : true,
+    "allow_account_creation": true,
     "max_accounts": 3,
     "enable_blacklist": true,
     "allow_email_change": true,
     "enable_guest_room_link": true,
     "file_restriction_enabled": false,
     "file_restriction_list": "3gpp, aac, amr, avi, bmp, css, csv, dib, doc, docx, eml, flac, gif, html, ico, jfif, jpeg, jpg, jpg-large, key, m4a, m4v, md, midi, mkv, mov, mp3, mp4, mpeg, mpeg3, mpg, msg, ods, odt, ogg, pdf, pjp, pjpeg, png, pps, ppt, pptx, psd, pst, rtf, sql, svg, tex, tiff, txt, vcf, vid, wav, webm, webp, wmv, xls, xlsx, xml",
     "force_constant_bitrate_calls": false,
-
     "mls_support_enabled": true,
     "encrypt_proteus_storage": false,
     "self_deleting_messages": true,
     "wipe_on_cookie_invalid": false,
     "wipe_on_device_removal": false,
     "wipe_on_rooted_device": false,
     "websocket_enabled_by_default": false,
-
     "firebase_push_sender_id": "782078216207",
     "firebase_app_id": "1:782078216207:android:d3db2443512d2055",
     "google_api_key": "AIzaSyBXtNKuX6GCKv2jDtsFImUaxCRL21DTLEQ",
     "fcm_project_id": "w966768976",
-
     "report_bug_menu_item_enabled": true,
     "debug_screen_enabled": true,
-
     "update_app_url": "https://wire.com/en/download/",
-
     "default_backend_url_base_api": "https://prod-nginz-https.wire.com",
     "default_backend_url_accounts": "https://account.wire.com",
     "default_backend_url_base_websocket": "https://prod-nginz-ssl.wire.com",
     "default_backend_url_teams": "https://teams.wire.com",
     "default_backend_url_blacklist": "https://clientblacklist.wire.com/prod",
     "default_backend_url_website": "https://wire.com",
-    "default_backend_title": "wire-production"
+    "default_backend_title": "wire-production",
+    "cert_pinning_config": {}
 }