I have noticed that the SSL pinning hashes and domain are not being added to the network_security_config.xml in the Android build. The file currently appears empty, as shown in the attached screenshot/file.
I am aware that in the latest version of the SSL Pinning Plugin, this issue was reportedly fixed. However, even after upgrading, I am still facing the problem where the hashes and domain are not being included in the Android build.
Could you please help investigate why the hashes and domain are not being applied during the build process? Any guidance on how to ensure that the plugin correctly generates the network_security_config.xml with the required SSL pinning entries would be greatly appreciated.
Thank you for your support.
Did you get that test.xml file from the generated apk file, using something like Android Studio's Apk Analyzer?
If so, then I'd say it's normal for the actual hashes and domains to not appear there, because that xml file is a compressed version and does not contain the entirety of the information.
If you'd really like to retrieve the information, you can use some reverse-engineering tools to get it.
But the fact that it includes several <pins> leads me to believe the hashes are in place. If you'd like to confirm the SSL Pinning is working, try to replace with incorrect SHA-256 hashes, and requests to that server / "CheckCertificate" client action should fail.
Hope this helps.
Dear ,
Yes, I was using Android Studio’s APK Analyzer to view that file. You may be correct — when I changed the hashes, it doesn't working.
However, we are facing a strange scenario: the SSL pinning is not working on older Android devices (Android 12 or 13), where the CheckCertificate validation is failing. On newer versions (Android 14 and above), everything works fine.
Have you encountered this kind of issue before?
I have resolved the issue, which was related to the server certificate. By default, OutSystems trusts only system certificates. For example, older devices may not support the latest certificates. In such cases, we need to implement custom logic to enable these devices to trust the server certificate. now all the devices working with SSL pinning
Hey @Vignesh Sekar, can you share what MABS version you are using currently? Were you testing with an older version of the plugin and it was working, or it never worked for you?
Are you following the setup in https://success.outsystems.com/documentation/11/integration_with_external_systems/mobile_plugins/ssl_pinning_plugin/#how-to-implement-ssl-pinning-in-outsystems - Including configuring the JSON file with hashes and domain as specified, placing it in your application's Resources, with Target Directory "pinning", and no other json file in that "pinning" target directory?
DearMABS version : 11.1 (current stable)
And yes, I have followed all the steps mentioned in the documentation.
I have not experienced such a scenario of different behaviors accross Android versions.
Because this plugin involves security aspects, and to not reveal too much information here, I would suggest to contact OutSystems support so they may help you in this matter.