Trust
TrustPin Kotlin SDK Documentation
TrustPin is a modern, lightweight, and secure Kotlin library designed to enforce SSL Certificate Pinning for Android and JVM applications. Built with Kotlin Coroutines and following OWASP security recommendations, TrustPin prevents man-in-the-middle (MITM) attacks by ensuring server authenticity at the TLS level.
π Key Features
β Kotlin Multiplatform - Shared codebase for Android and JVM platforms
β Flexible Pinning Modes - Strict validation or permissive mode for development
β Multiple Hash Algorithms - SHA-256 and SHA-512 certificate validation
β Signed Configuration - Cryptographically signed pinning configurations
β Android/JVM Integrations - Built-in TrustManager and SSLSocketFactory support
β Intelligent Caching - 10-minute configuration cache with stale fallback
β Comprehensive Logging - Configurable log levels for debugging and monitoring
β Thread-Safe - Built with coroutines and concurrent-safe operations
β Enhanced Security - Advanced signature verification with multiple authentication methods
π Platform Requirements
| Platform | Minimum Version | Notes |
|---|---|---|
| Android | API 25 (7.1+) | Full feature support |
| JVM | Java 11+ | Desktop/Server applications |
| Kotlin | 2.3.0+ | Built with Kotlin 2.3.0 |
π¦ Installation
Gradle (Kotlin DSL)
Add to your build.gradle.kts:
dependencies {
implementation("cloud.trustpin:kotlin-sdk:4.0.0")
}Gradle (Groovy)
Add to your build.gradle:
dependencies {
implementation 'cloud.trustpin:kotlin-sdk:4.0.0'
}Maven
Add to your pom.xml:
<dependency>
<groupId>cloud.trustpin</groupId>
<artifactId>kotlin-sdk</artifactId>
<version>4.0.0</version>
</dependency>π§ Quick Setup
1. Create and Configure
import cloud.trustpin.kotlin.sdk.TrustPin
import cloud.trustpin.kotlin.sdk.TrustPinMode
// Configure with your project credentials (suspend function)
suspend fun initializeTrustPin() {
TrustPin.setup(
organizationId = "your-org-id",
projectId = "your-project-id",
publicKey = "your-base64-public-key",
mode = TrustPinMode.STRICT // Recommended
)
}π‘ Find your credentials in the TrustPin Dashboard
βοΈ Dual API Design: TrustPin provides both suspend functions (recommended for Kotlin coroutines) and blocking functions (for Java interop and non-coroutine contexts).
2. Choose Your Pinning Mode
TrustPin offers two validation modes:
Strict Mode (Recommended for Production)
suspend fun setupProduction() {
TrustPin.setup(
// ... your credentials
mode = TrustPinMode.STRICT // Throws error for unregistered domains
)
}Permissive Mode (Development & Testing)
suspend fun setupDevelopment() {
TrustPin.setup(
// ... your credentials
mode = TrustPinMode.PERMISSIVE // Allows unregistered domains to bypass pinning
)
}π Usage Examples
Dual API Design
TrustPin provides both suspend and blocking APIs to support different use cases:
// Suspend API - for Kotlin coroutines (recommended)
suspend fun setupAndVerify() {
// Setup TrustPin configuration
TrustPin.setup(
organizationId = "your-org-id",
projectId = "your-project-id",
publicKey = "your-public-key",
mode = TrustPinMode.STRICT
)
// Verify certificates
val certificate: X509Certificate = // ...
TrustPin.verify("api.example.com", certificate)
}
// Blocking API - for Java interop and non-coroutine contexts
fun setupBlocking() {
// Setup TrustPin configuration
TrustPin.setupBlocking(
organizationId = "your-org-id",
projectId = "your-project-id",
publicKey = "your-public-key",
mode = TrustPinMode.STRICT
)
// Verify certificates
val certificate: X509Certificate = // ...
TrustPin.verifyBlocking("api.example.com", certificate)
}OkHttp Integration with SSLSocketFactory
The recommended integration pattern for OkHttp applications:
import cloud.trustpin.kotlin.sdk.TrustPin
import cloud.trustpin.kotlin.sdk.TrustPinMode
import cloud.trustpin.kotlin.sdk.ssl.TrustPinSSLSocketFactory
import okhttp3.OkHttpClient
import okhttp3.Request
import java.util.concurrent.TimeUnit
class NetworkManager {
private val httpClient by lazy {
val sslSocketFactory = TrustPinSSLSocketFactory.create()
OkHttpClient.Builder()
.connectTimeout(30, TimeUnit.SECONDS)
.readTimeout(30, TimeUnit.SECONDS)
.writeTimeout(30, TimeUnit.SECONDS)
.sslSocketFactory(sslSocketFactory, sslSocketFactory.trustManager())
.build()
}
suspend fun initialize() {
TrustPin.setup(
organizationId = "your-org-id",
projectId = "your-project-id",
publicKey = "your-public-key",
mode = TrustPinMode.STRICT
)
}
suspend fun fetchData(): String {
val request = Request.Builder()
.url("https://api.example.com/data")
.build()
return httpClient.newCall(request).execute().use { response ->
response.body?.string() ?: ""
}
}
}Manual Certificate Verification
For custom networking stacks or certificate inspection:
import cloud.trustpin.kotlin.sdk.TrustPin
import cloud.trustpin.kotlin.sdk.TrustPinError
import java.security.cert.X509Certificate
// Verify an X.509 certificate for a specific domain
suspend fun verifyCertificate() {
val domain = "api.example.com"
val certificate: X509Certificate = // ... obtained from connection
try {
TrustPin.verify(domain = domain, certificate = certificate)
println("β
Certificate is valid and matches configured pins")
} catch (e: TrustPinError.DomainNotRegistered) {
println("β οΈ Domain not configured for pinning")
} catch (e: TrustPinError.PinsMismatch) {
println("β Certificate doesn't match any configured pins")
} catch (e: TrustPinError) {
println("π₯ Verification failed: ${e.message}")
}
}π§ Android Integration Examples
Retrofit with OkHttp
import retrofit2.Retrofit
import retrofit2.converter.gson.GsonConverterFactory
import cloud.trustpin.kotlin.sdk.ssl.TrustPinSSLSocketFactory
import java.util.concurrent.TimeUnit
class ApiClient {
private val okHttpClient by lazy {
val sslSocketFactory = TrustPinSSLSocketFactory.create()
OkHttpClient.Builder()
.connectTimeout(30, TimeUnit.SECONDS)
.readTimeout(30, TimeUnit.SECONDS)
.sslSocketFactory(sslSocketFactory, sslSocketFactory.trustManager())
.build()
}
private val retrofit by lazy {
Retrofit.Builder()
.baseUrl("https://api.example.com/")
.client(okHttpClient)
.addConverterFactory(GsonConverterFactory.create())
.build()
}
suspend fun initialize() {
TrustPin.setup(
organizationId = "prod-org-id",
projectId = "prod-project-id",
publicKey = "prod-public-key",
mode = TrustPinMode.STRICT
)
}
fun <T> createService(serviceClass: Class<T>): T {
return retrofit.create(serviceClass)
}
}Ktor Client Integration
import io.ktor.client.*
import io.ktor.client.engine.okhttp.*
import io.ktor.client.request.*
import cloud.trustpin.kotlin.sdk.ssl.TrustPinSSLSocketFactory
class KtorNetworkClient {
private val httpClient by lazy {
val sslSocketFactory = TrustPinSSLSocketFactory.create()
HttpClient(OkHttp) {
engine {
preconfigured = OkHttpClient.Builder()
.sslSocketFactory(sslSocketFactory, sslSocketFactory.trustManager())
.build()
}
}
}
suspend fun initialize() {
TrustPin.setup(
organizationId = "your-org-id",
projectId = "your-project-id",
publicKey = "your-public-key",
mode = TrustPinMode.STRICT
)
}
suspend fun fetchData(): String {
return httpClient.get("https://api.example.com/data")
}
}π― Pinning Modes Explained
| Mode | Behavior | Use Case |
|---|---|---|
TrustPinMode.STRICT | β Throws TrustPinError.DomainNotRegistered for unregistered domains | Production environments where all connections should be validated |
TrustPinMode.PERMISSIVE | β Allows unregistered domains to bypass pinning | Development/Testing or apps connecting to dynamic domains |
When to Use Each Mode
Strict Mode (TrustPinMode.STRICT)
β Production applications
β High-security environments
β Known, fixed set of API endpoints
β Compliance requirements
Permissive Mode (TrustPinMode.PERMISSIVE)
β Development and staging
β Applications with dynamic/unknown endpoints
β Gradual migration to certificate pinning
β Third-party SDK integrations
π Error Handling
TrustPin provides detailed error types for proper handling:
import cloud.trustpin.kotlin.sdk.TrustPinError
try {
TrustPin.verify(domain = "api.example.com", certificate = cert)
} catch (e: TrustPinError.DomainNotRegistered) {
// Domain not configured in TrustPin (only in strict mode)
handleUnregisteredDomain()
} catch (e: TrustPinError.PinsMismatch) {
// Certificate doesn't match configured pins - possible MITM
handleSecurityThreat()
} catch (e: TrustPinError.AllPinsExpired) {
// All pins for domain have expired
handleExpiredPins()
} catch (e: TrustPinError.InvalidServerCert) {
// Certificate format is invalid
handleInvalidCertificate()
} catch (e: TrustPinError.InvalidProjectConfig) {
// Setup parameters are invalid
handleConfigurationError()
} catch (e: TrustPinError.ErrorFetchingPinningInfo) {
// Network error fetching configuration
handleNetworkError()
} catch (e: TrustPinError.ConfigurationValidationFailed) {
// Configuration signature validation failed
handleSignatureError()
}π Logging and Debugging
TrustPin provides comprehensive logging for debugging and monitoring:
import cloud.trustpin.kotlin.sdk.TrustPinLogLevel
// Set log level before setup
TrustPin.setLogLevel(TrustPinLogLevel.DEBUG)
// Available log levels:
// TrustPinLogLevel.NONE - No logging
// TrustPinLogLevel.ERROR - Errors only
// TrustPinLogLevel.INFO - Errors and informational messages
// TrustPinLogLevel.DEBUG - All messages including debug informationExample Debug Output
[14:30:15] [DEBUG] Starting certificate verification for domain: api.example.com
[14:30:15] [DEBUG] Sanitized domain: api.example.com
[14:30:15] [INFO] Using cached configuration
[14:30:15] [DEBUG] Found domain configuration with 2 pins
[14:30:15] [DEBUG] Certificate hash matches sha256 pin for domain api.example.com
[14:30:15] [INFO] Valid pin found for api.example.comπ Best Practices
Setup and Initialization
Call
TrustPin.setup()once during app initialization (typically inApplication.onCreate())Handle setup errors gracefully - don't block app launch if TrustPin fails
Set log level before setup for complete logging coverage
Use coroutines for setup in Android lifecycle-aware components
Security Recommendations
Always use
TrustPinMode.STRICTin productionRotate pins before expiration
Monitor pin validation failures
Use HTTPS for all pinned domains
Keep public keys secure and version-controlled
Performance Optimization
Cache TrustPin configuration (handled automatically)
Reuse OkHttpClient instances with TrustPin SSLSocketFactory
Use appropriate log levels (
ERRORorNONEin production)Initialize early to avoid setup delays during first network requests
Development Workflow
Start with
TrustPinMode.PERMISSIVEduring developmentTest all endpoints with pinning enabled
Validate pin configurations in staging
Switch to
TrustPinMode.STRICTfor production releasesUse debug logging to troubleshoot pinning issues
π Choosing the Right API
TrustPin provides two API styles to fit different development contexts:
API Selection Guide
Suspend API (Recommended for Kotlin):
// β
For Kotlin coroutine contexts
suspend fun initialize() {
TrustPin.setup(
organizationId = "your-org-id",
projectId = "your-project-id",
publicKey = "your-public-key",
mode = TrustPinMode.STRICT
)
}Blocking API (For Java and Non-Coroutine Contexts):
// β
For Java interop and blocking Kotlin contexts
fun initialize() {
TrustPin.setupBlocking(
organizationId = "your-org-id",
projectId = "your-project-id",
publicKey = "your-public-key",
mode = TrustPinMode.STRICT
)
}π§ͺ Testing
Unit Testing with TrustPin
import kotlinx.coroutines.test.runTest
import org.junit.Test
class NetworkTest {
@Test
fun `test secure network request`() = runTest {
// Use permissive mode for testing
TrustPin.setup(
organizationId = "test-org",
projectId = "test-project",
publicKey = "test-key",
mode = TrustPinMode.PERMISSIVE
)
val networkClient = SecureNetworkClient()
val result = networkClient.fetchData()
assert(result.isNotEmpty())
}
}π Troubleshooting
Common Issues
Setup Fails with InvalidProjectConfig
β Verify organization ID, project ID, and public key are correct
β Check for extra whitespace or newlines in credentials
β Ensure public key is properly base64-encoded
Certificate Verification Fails
β Confirm domain is registered in TrustPin dashboard
β Check certificate format (must be valid X.509)
β Verify pins haven't expired
β Test with
TrustPinMode.PERMISSIVEfirst
OkHttp Integration Issues
β Ensure TrustPin is initialized before creating OkHttpClient
β Use
TrustPinSSLSocketFactory.create()with OkHttp'ssslSocketFactory()methodβ Always pass both SSLSocketFactory and TrustManager to OkHttp
β Verify coroutine context for suspend functions
Debug Steps
Enable debug logging:
TrustPin.setLogLevel(TrustPinLogLevel.DEBUG)Test with permissive mode first
Verify credentials in TrustPin dashboard
Check network connectivity to
cdn.trustpin.cloudInspect certificate details with openssl or browser tools
π Documentation
API Reference: index.html
Documentation site: Documentation site
TrustPin Dashboard: Configure domains and pins
π License
Commercial License: For enterprise licensing or custom agreements, contact contact@trustpin.cloud
Attribution Required: When using this software, you must display "Uses TrustPinβ’ technology β https://trustpin.cloud" in your application.
π€ Support & Feedback
For questions and support:
π§ Email: support@trustpin.cloud
π Website: https://trustpin.cloud
π Issues: For SDK-related issues, please contact support
Built with β€οΈ by the TrustPin team