SSL Pinning Issue with Ionic + Capacitor

Question

As mentioned in the official docs [1], I have been trying to implement SSL Pinning in an Ionic + Angular + Capacitor Project using the Cordova Advanced HTTP plugin [2].

However, each time I open the iOS app with Xcode, it logs an error [3] saying that the certificate is invalid, which I believe is wrong.

2019-07-02 09:20:13.211085+0530 App[481:58424] TIC SSL Trust Error [1:0x280002100]: 3:0
2019-07-02 09:20:13.228677+0530 App[481:58424] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2019-07-02 09:20:13.228721+0530 App[481:58424] Task <46E01436-B71E-421D-B8F0-584EBEBEDD56>.<1> HTTP load failed (error code: -1202 [3:-9813])
2019-07-02 09:20:13.228908+0530 App[481:58418] Task <46E01436-B71E-421D-B8F0-584EBEBEDD56>.<1> finished with error - code: -1202
2019-07-02 09:20:13.231665+0530 App[481:58415] Task <46E01436-B71E-421D-B8F0-584EBEBEDD56>.<1> load failed with error Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “reqres.in” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x10408e200) s: sni96286.cloudflaressl.com i: COMODO ECC Domain Validation Secure Server CA 2>",
    "<cert(0x104067800) s: COMODO ECC Domain Validation Secure Server CA 2 i: COMODO ECC Certification Authority>",
    "<cert(0x10408ee00) s: COMODO ECC Certification Authority i: AddTrust External CA Root>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://reqres.in/api/users/2, NSErrorFailingURLStringKey=https://reqres.in/api/users/2, NSUnderlyingError=0x283b578d0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x28070d4d0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x10408e200) s: sni96286.cloudflaressl.com i: COMODO ECC Domain Validation Secure Server CA 2>",
    "<cert(0x104067800) s: COMODO ECC Domain Validation Secure Server CA 2 i: COMODO ECC Certification Authority>",
    "<cert(0x10408ee00) s: COMODO ECC Certification Authority i: AddTrust External CA Root>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <46E01436-B71E-421D-B8F0-584EBEBEDD56>.<1>"
), _kCFStreamErrorCodeKey=-9813, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <46E01436-B71E-421D-B8F0-584EBEBEDD56>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x28070d4d0>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “reqres.in” which could put your confidential information at risk.} [-1202]
⚡️  [log] - -2   
⚡️  [log] - The certificate for this server is invalid. You might be connecting to a server that is pretending to be “reqres.in” which could put your confidential information at risk.   
⚡️  [log] - undefined

My sample application with the steps I took is available on GitHub [4] and I would like to know how to get SSL Pinning integrated in my app correctly. Ideally it would be convenient for everyone if you can fork/clone my project and try your workarounds in it.

[1] https://ionicframework.com/docs/native/http

[2] https://github.com/silkimen/cordova-plugin-advanced-http

[3] https://github.com/ashenwgt/ionic-capacitor-ssl-pinning/blob/master/logs/xcode-log.backup

[4] https://github.com/ashenwgt/ionic-capacitor-ssl-pinning

Any help would be highly appreciated.

Answer 1

This problem occurs because ionic webpack configuration erases the www folder of IOS when build operation start.

To ensure that your certificates won't be deleted, you have to copy it using a custom copy config for webpack instead of config.xml resource-file.

This is how I resolved it:

1 - Create a folder certificates/ at the root of your project, containing your *.cer files

2 - Create a file copy.config.js at the root of your project with the following content

// provide a name for an entry, it can be anything such as 'copyAssets' or 'copyFonts'
// then provide an object with a `src` array of globs and a `dest` string
module.exports = {
    copyAssets: {
        src: ['{{SRC}}/assets/**/*'],
        dest: '{{WWW}}/assets'
    },
    copyIndexContent: {
        src: ['{{SRC}}/index.html', '{{SRC}}/manifest.json', '{{SRC}}/service-worker.js'],
        dest: '{{WWW}}'
    },
    copyFonts: {
        src: ['{{ROOT}}/node_modules/ionicons/dist/fonts/**/*', '{{ROOT}}/node_modules/ionic-angular/fonts/**/*'],
        dest: '{{WWW}}/assets/fonts'
    },
    copyPolyfills: {
        src: [`{{ROOT}}/node_modules/ionic-angular/polyfills/${process.env.IONIC_POLYFILL_FILE_NAME}`],
        dest: '{{BUILD}}'
    },
    copySwToolbox: {
        src: ['{{ROOT}}/node_modules/sw-toolbox/sw-toolbox.js'],
        dest: '{{BUILD}}'
    },
    copyCertificates: {
        src: ['certificates/**/*'],
        dest: '{{WWW}}/certificates'
    }
}

3 - Add the following config in your package.json file

"config": {
    "ionic_copy": "copy.config.js"
}

Good luck ! 😉