Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IBM MobileFirst certificate pinning best practices

We are developing an IBM MobileFirst 7.1 Hybrid mobile application, and planning to use the certificate pinning feature.

We can find information on IBM website about the SSL certificate pinning on IBM MobileFirst website : Here is a post in the IBM Knowledge Center and Here is a tutorial and its sample project/code

All these resources are great, but I have some questions :

  • Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?
  • If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?
  • Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?
  • In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?
  • What happen when the SSL certificate is revoked ?
  • What happen when the SSL certificate is expired ?
  • What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?

Please advice

like image 778
WiPhone Avatar asked Jun 22 '16 23:06

WiPhone


People also ask

Is certificate pinning obsolete?

HTTP pinningHPKP got deprecated in 2018 after intents of removing it started in 2017. Almost all browsers no longer support it as attacks against HPKP surfaced. HPKP is being replaced by the reactive Certificate Transparency framework coupled with the Expect-CT header.

Is certificate pinning good?

Certificate pinning restricts which certificates are considered valid for a particular website, limiting risk. Instead of allowing any trusted certificate to be used, operators "pin" the certificate authority (CA) issuer(s), public keys or even end-entity certificates of their choice.

What risk does certificate pinning protect against?

Pinning ensures that no network data is compromised even if a user is tricked into installing a malicious root certificate on their mobile device. Any app that pins its certificates would thwart such phishing attempts by refusing to transmit data over a compromised connection.

What is meant by certificate pinning failure?

If the pinning process is successful, the public key inside the provided certificate is used to verify the integrity of the MobileFirst Server certificate during the secured request SSL/TLS handshake. If the pinning process fails, all SSL/TLS requests to the server are rejected by the client application.


1 Answers

Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?

You can always write your own code that does the pinning, or use 3rd party Cordova plug-ins. But none of those assure you the level of support you get by using the provided functionality. Note that you are then limited to the functionality provided (for example, certificate pinning by MobileFirst is restricted to a single destination host and not multiple).

If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?

You need to have the certificate in both the client and the server. You do not need to use Direct Update to update the certificate on the client.

The way it works is that you need to only update the certificate on the server, but you must maintain the same public key in case you do update it

Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?

As mentioned in the documentation, certificate pinning supports only: "native iOS, native Android, and hybrid iOS or hybrid Android"

In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?

The pinning relates only to requests that are bound to the MobileFirst Server and not to other services.

What happen when the SSL certificate is revoked ?

Requests that are bound to the MobileFirst Server will fail.

What happen when the SSL certificate is expired ?

Requests that are bound to the MobileFirst Server will fail.

What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?

Because you only need to update the certificat eon the server, you only need to make sure to keep using the same public key as before.

like image 166
Idan Adar Avatar answered Oct 05 '22 05:10

Idan Adar