[SSL Pinning Plugin] SSL Pinning Plugin - Documentation

Forge Component
(4)
Published on 2 Sep (4 weeks ago) by OutSystems R&D
4 votes
Published on 2 Sep (4 weeks ago) by OutSystems R&D

In mobile apps, SSL Pinning or HTTP Public Key Pinning (HPKP) provides an extra layer of security to HTTPS communications to avoid, for example, man-in-the-middle attacks. It works client-side and verifies the server certificate by comparing hashes of public keys that are pre-bundled with the mobile app.

Get the plugin from the SSL Pinning page in Forge. Make sure to read the documentation before creating builds with SSL Pinning.

(Post edit in August 2020)

Hello Jaime,


Is It possible to generate and use an hash from the root certificate (or intermediate certificate) since it has more extended expiration date?


Appreciate your help.


Cheers,

Ricardo Brito

Hi,

This site generate the hash:

https://report-uri.com/home/pkp_hash

Cheers,

Bruno Cantante

Hello!

I'm starting to be upset by not having an error at all :(

I'm using it on my personal environment to test this and it doesn't matter the hash I use in the configuration file, it always works!

Can anyone confirm that the plugin is working the way it should?

Thanks!

Hello, Mikael,

Have you re-generated and reinstalled the app after updating the hashes? Remember that, for these native changes such as these to become effective, a new app must be generated.

Best regards,

Carlos Simões

Carlos Simões wrote:

Hello, Mikael,

Have you re-generated and reinstalled the app after updating the hashes? Remember that, for these native changes such as these to become effective, a new app must be generated.

Best regards,

Carlos Simões

Hi Carlos,

Yes I've done that several times and nothing changed


I see. The other thing that happened to me a couple of times was that I mistakenly thought connections were being allowed, while in reality the app was still working, but in offline mode (AFAIK, this is only the case for one of the platforms, Android I think).

Could you please sanity check if calling a server action on the app is successful?

Best regards,

Carlos Simões

Carlos Simões wrote:

I see. The other thing that happened to me a couple of times was that I mistakenly thought connections were being allowed, while in reality the app was still working, but in offline mode (AFAIK, this is only the case for one of the platforms, Android I think).

Could you please sanity check if calling a server action on the app is successful?

Best regards,

Carlos Simões

I'm able to login and logout successfully. I will try to make other kind of test/ debug but i think this is a good example of server action being called.

If you haven't changed any of the default Login logic, then yes: a server action is definitely being called.

Well, it looks like you've checked pretty much everything. As a final sanity check, could you confirm if the "pinning.json" file points to the exact hostname you are trying to pin? Wildcards and sub domains are not allowed, so it must match the hostname you want to validate exactly.

If that checks out, could you please open a support case with us, so we can have a look at what's wrong?

Thank you for your patience, and best regards,

Carlos Simões

Hi guys, 


Does SSL pinning plugin already support blob URL?


Thanks.

Tiago Agostinho

Executing the following openssl command: 

openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

you may get the following error:

unable to load certificate
(...)Expecting: TRUSTED CERTIFICATE

To solve that just specify that your certificate is in the "DER" format (and not in the PEM, which is the default), with the instruction "-inform DER". So the command should be like: 

openssl x509 -inform DER -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64


Hello all,

Just a quick feedback if you fall on this pitfall:

  • No wildcards or subdomains are allowed in the host. You must insert the full hostname of your server;


You can use a certificate with a wildcard to re-use on your environments which are segregated in subdomains for example:

  • Certificate: *.outsystems.net
  • Development Environment: cs11dev.outsystems.net
  • Development Environment: cs11qa.outsystems.net


As you notice the environment hostname is a subdomain, this doesn't invalidate it can't be configured in the pinning.json

By default, the environment hostname is used but if you have customized the Mobile App Domain Name then this is the hostname which will be used in the SSL Pinning configuration. 

Make sure you are using the hostname which the mobile package was generated and the respective certificate is for that same hostname! 


As a final result the pinning configuration file should look like this:


And always validate the certificate chain by checking the SSL Checker and also the output of the Create your HPKP hash:



José Fábio Vieira wrote:

Hello all,

Just a quick feedback if you fall on this pitfall:

  • No wildcards or subdomains are allowed in the host. You must insert the full hostname of your server;


You can use a certificate with a wildcard to re-use on your environments which are segregated in subdomains for example:

  • Certificate: *.outsystems.net
  • Development Environment: cs11dev.outsystems.net
  • Development Environment: cs11qa.outsystems.net


As you notice the environment hostname is a subdomain, this doesn't invalidate it can't be configured in the pinning.json

By default, the environment hostname is used but if you have customized the Mobile App Domain Name then this is the hostname which will be used in the SSL Pinning configuration. 

Make sure you are using the hostname which the mobile package was generated and the respective certificate is for that same hostname! 



As a final result the pinning configuration file should look like this:


And always validate the certificate chain by checking the SSL Checker and also the output of the Create your HPKP hash:




Great post about this sensitive component.

Cheers,

GM


Hello, guys,

As stated on a recent email, OutSystems is renewing the "*.outsystemsenterprise.com" certificate and installing as the default for cloud infrastructures April 2020 (as mentioned on this article).

If your mobile app uses SSL Pinning and its server is using this certificate (i.e. if either the “DefaultDNSName” or “Environment hostname” values have a hostname ending in “outsystemsenterprise.com”), then you should do the following steps as soon as possible:

  1. Add its new thumbprint/hash to the pinning configurations of your mobile app (you can see the value on the FAQ of this article);

  2. Generate and distribute your mobile app.


Make sure you keep both the old and new certificate thumbprints/hashes on the configuration until the certificate has been switched for your environment. At that point, you can safely remove the old hash, generate and distribute a new version of the app.

Does anyone still use this SSL pinning? It seems to be deprecated and no longer supported by many browsers: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning. See here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

A note:

If the same value is used for the new hash and for the old one,

"hashes": [
          "sha256/CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=",
          "sha256/CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="
          ]

 on iOS, the build is generated but does not start.

Carlos Simões wrote:

Hello, guys,

As stated on a recent email, OutSystems is renewing the "*.outsystemsenterprise.com" certificate and installing as the default for cloud infrastructures April 2020 (as mentioned on this article).

If your mobile app uses SSL Pinning and its server is using this certificate (i.e. if either the “DefaultDNSName” or “Environment hostname” values have a hostname ending in “outsystemsenterprise.com”), then you should do the following steps as soon as possible:

  1. Add its new thumbprint/hash to the pinning configurations of your mobile app (you can see the value on the FAQ of this article);

  2. Generate and distribute your mobile app.


Make sure you keep both the old and new certificate thumbprints/hashes on the configuration until the certificate has been switched for your environment. At that point, you can safely remove the old hash, generate and distribute a new version of the app.

 

 Carlos, 

please, can you give an information... I need change our certificates. It's necessary send to stores a new version of the app to revision?


Thanks for your time,

Miguel