Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] SSL pinning is not working for both iOS and Android #522

Open
takhil opened this issue Nov 29, 2023 · 3 comments
Open

[Bug] SSL pinning is not working for both iOS and Android #522

takhil opened this issue Nov 29, 2023 · 3 comments

Comments

@takhil
Copy link

takhil commented Nov 29, 2023
edited
Loading

Describe the bug
We are getting an exception on both iOS and Android with our new certificate on the server. We checked the SSL-Certificate, everything looks fine, no errors. we tried adding default and trusted both case facing issue.

FYI certificate pinning use to work one year back but because of our certificates we disabled it now after update the certs to certificates folder not respecting the certs and we checked the www folder it has the certificates in platform folder

Anyone experiencing the same problem?

System info

  • affected HTTP plugin version: [3.3.1]
  • affected platform(s) and version(s): [iOS and Android]
  • cordova version: Cordova CLI : 11.0.0 ([email protected])
  • cordova platform version(s): [iOS 7.0.0 Android 12.0.0]
  • Angular 14.0.0

Are you using ionic-native-wrapper?

  • ionic-native-wrapper version: yes [6.4.0]
    '@awesome-cordova-plugins/http/ngx';
  • did you check ionic-native issue tracker for your problem? yes

Minimum viable code to reproduce

e.g.:

     import { HTTP, HTTPResponse } from '@awesome-cordova-plugins/http/ngx';
     private http: HTTP,
     this.http.setServerTrustMode('pinned');

Screenshots
If applicable, add screenshots to help explain your problem.

** Reference**
https://dzone.com/refcardz/securing-mobile-applications-with-cert-pinning
@TiBz0u
Copy link

TiBz0u commented Feb 23, 2024
edited
Loading

Hi @takhil,
First, can you confirm thoses questions :

  • You are using Cordova / not Capacitor?
  • Is the certificate well a DER certificate (binary)?
    openssl x509 -inform der -in CERTIFICATE.cer -text -noout must succeed
  • Extension is well .cer ?
  • Your certificate is added through hook into www/certificates and you can find it in your final native platform (Android or iOS)

If yes ;
What error do you have? -2?
On both platform ?
Is your certificate self-signed? I remember having an issue with this kind of certificate.

EDIT: I suppose that you inject correctly http service in your angular component and that the setServerTrustMode() returns success.

Kr.

@takhil
Copy link
Author

takhil commented Feb 28, 2024

Hi @TiBz0u ,

Thanks for the response and I see error -2 from mobile app when I tried inject the serverTrustMode() and I checked the certificate with the command and certificate looks good.

Can you think of anything else?

@TiBz0u
Copy link

TiBz0u commented Mar 8, 2024

Hi @takhil,

The serverTrustMode() method gives you only a success normally. It has to be done when your app starts. After that, if you respect what I explain above, it has to work.

Please double check the extension (.cer needed) and the format (must be DER et not PEM [base64]).

Otherwise, can you provide a public repository to check your configuration?

If you use a VPN, please make sure with the IT that the VPN doesn't encapsulate everything, it can be a problem too.

Kr.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TiBz0u @takhil