We are developing an IBM MobileFirst 7.1 Hybrid mobile application, and planning to use the certificate pinning feature.
We can find information on IBM website about the SSL certificate pinning on IBM MobileFirst website : Here is a post in the IBM Knowledge Center and Here is a tutorial and its sample project/code
All these resources are great, but I have some questions :
Please advice
HTTP pinningHPKP got deprecated in 2018 after intents of removing it started in 2017. Almost all browsers no longer support it as attacks against HPKP surfaced. HPKP is being replaced by the reactive Certificate Transparency framework coupled with the Expect-CT header.
Certificate pinning restricts which certificates are considered valid for a particular website, limiting risk. Instead of allowing any trusted certificate to be used, operators "pin" the certificate authority (CA) issuer(s), public keys or even end-entity certificates of their choice.
Pinning ensures that no network data is compromised even if a user is tricked into installing a malicious root certificate on their mobile device. Any app that pins its certificates would thwart such phishing attempts by refusing to transmit data over a compromised connection.
If the pinning process is successful, the public key inside the provided certificate is used to verify the integrity of the MobileFirst Server certificate during the secured request SSL/TLS handshake. If the pinning process fails, all SSL/TLS requests to the server are rejected by the client application.
Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?
You can always write your own code that does the pinning, or use 3rd party Cordova plug-ins. But none of those assure you the level of support you get by using the provided functionality. Note that you are then limited to the functionality provided (for example, certificate pinning by MobileFirst is restricted to a single destination host and not multiple).
If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?
You need to have the certificate in both the client and the server. You do not need to use Direct Update to update the certificate on the client.
The way it works is that you need to only update the certificate on the server, but you must maintain the same public key in case you do update it
Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?
As mentioned in the documentation, certificate pinning supports only: "native iOS, native Android, and hybrid iOS or hybrid Android"
In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?
The pinning relates only to requests that are bound to the MobileFirst Server and not to other services.
What happen when the SSL certificate is revoked ?
Requests that are bound to the MobileFirst Server will fail.
What happen when the SSL certificate is expired ?
Requests that are bound to the MobileFirst Server will fail.
What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?
Because you only need to update the certificat eon the server, you only need to make sure to keep using the same public key as before.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With