73
Views
7
Comments
Solved
[SSL Pinning Plugin]  [SSL Pinning Plugin] - Implementation
Question
Forge component by OutSystems R&D
4
Published on 02 Sep 2020

Hi,

Im trying to implement SSL Pinning on a mobile app and i have followed the instructions on these 2 articles (Article 1 and Article 2)

I have followed the instructions on the atricles above and implemented acordingly, however i do not think the SSPinning implementation is working acordingly because it always works. Even after i modifeid the keys i did not get any error or whatsoever. Regardles of the keys i have on my app i always manage to open the app and loggin sucessfully..

Does anyone have experienced the smae issue or has any idea of what I might be doing wrong?


Thanks in advance

Rank: #116
Solution

Hello again Fernando,

So I've checked your OML and these are my considerations:

1) Your resource pinning.json seems to be good. You have 2 dummy ashes, so the application shouldn't be working (it should raise an error due to an invalid certificate);

2) In your JSON file, you only have one host defined: LS*******FRTE01
This means that if your application is connecting to any other server (different host), this crossing with the certificate ashes won't apply. Are you sure that this host is correct and your application is connecting to this host when you are testing it?

3) In the final version, you should have all of your hosts in the JSON file with their respective ashes per host.


Everything else seems correct to me.

The only difference between us is that I have the RequireSSLPinning Block directly in the Splash Screen.

You have it inside a CheckSSLPlugin Block where you check if the Plugin is available or not in the OnReady. I don't really think that you need this logic, but it doesn't make any difference.


Kind regards,

Rui Barradas

Rank: #116

Hello Fernando,

I'm using this plugin in every single application that I develop. Can you share your OML so I can check it out?


Kind regards,

Rui Barradas

Rank: #116

Hello again Fernando,

My first guesses without checking the code are:

1) Make sure your JSON resource is deployed in the pinning directory.

2) Make sure you have the RequireSSLPinning Block from the plugin inside one of your application screens (I always use Splash Screen).

3) Make sure you always generate the builds again before testing.


Kind regards,

Rui Barradas

Rank: #2501

Hello Rui,


Thanks for your prompt reply.
Please find attached the required OML.

About some of the points above.
1) I do have the json file on the pinning directory, and the deploy action set to Deploy To Target Directory.

2) I do have the RequireSSLPinning Block in my screens, though not directly on the scree but in a empty block.
3) Yes, im generating a new build before testing, though currently im only able to test on iOS


Regards

ConvencaoAgentes.oml

Rank: #116

Hello Fernando,

I will take a look as soon as I can and let you know afterwards.


Kind regards,

Rui Barradas

Rank: #116
Solution

Hello again Fernando,

So I've checked your OML and these are my considerations:

1) Your resource pinning.json seems to be good. You have 2 dummy ashes, so the application shouldn't be working (it should raise an error due to an invalid certificate);

2) In your JSON file, you only have one host defined: LS*******FRTE01
This means that if your application is connecting to any other server (different host), this crossing with the certificate ashes won't apply. Are you sure that this host is correct and your application is connecting to this host when you are testing it?

3) In the final version, you should have all of your hosts in the JSON file with their respective ashes per host.


Everything else seems correct to me.

The only difference between us is that I have the RequireSSLPinning Block directly in the Splash Screen.

You have it inside a CheckSSLPlugin Block where you check if the Plugin is available or not in the OnReady. I don't really think that you need this logic, but it doesn't make any difference.


Kind regards,

Rui Barradas

Rank: #2501

Hi Rui,

Thanks for your response.

After your feedback validating the implementation, I started considering other factors besides the implementation itself, so i decided to test the app on a different environment.  
I tested the app on diferent environments and it worked as expected. Which is an indication that the implementation is correct and the faulty behaviour must be due to misconfigurations of my DEV environment.

I will dig further into the matter but for the purpose of the question i will consider the thread closed.

Thanks again for your valuable assistance.

Kind Regards
Fernando



Rank: #116

Hello Fernando,

That description proves that the implementation is indeed correct. I'm glad that you managed to do it.


Kind regards,

Rui Barradas