SSL Pinning communication - OutSystems Community

Hi OutSystems Community,


You’re receiving this message because  OutSystems are applying a change to the Mobile Apps that use SSL Pinning Plugin. Those changes will take place starting on July 1st


Is my Mobile App affected? 

There are four options: 

  1. Your app does not include the SSL Pinning Plugin
    ? No action required

  2. Your app includes the SSL Pinning Plugin and you are running the app in an on-premise infrastructure
    ? No action required

  3. Your app includes the SSL Pinning Plugin and you are running the app in a cloud infrastructure, but you already have your own domain and SSL certificate
    ? No action required. You're already in compliance with the new requirements 

  4. Your app includes the SSL Pinning Plugin, you are running the app in a cloud infrastructure, and you are using the OutSystems default certificate
    ? Keep reading. Action required 


To keep your environments secure, OutSystems must recurrently update the server certificates for their domains. This is relevant for environments that use OutSystems default domains and certificates, instead of purposely acquiring your own certificates. Environments that use the default OutSystems managed domains and certificates in their apps can be affected when these server certificates are updated.  An example of this is when SSL Pinning is in use. One of these cases is the usage of SSL Pinning. When apps pin OutSystems managed server certificates, they stop working correctly when the server certificates are changed. Solving this requires distributing a new generation of the app and distribution of said app. Occasionally, OutSystems might not be able to provide you with a timely notification period every time a change must be performed.Not performing these changes poses a risk for everyone involved.


To prevent these risks, OutSystems will no longer support the generation of native applications when SSL Pinning is configured to pin OutSystems managed server certificates, such as the default outsystemsenterprise.com domains. This limitation also affects non-productive environments. If you are affected by this, you must acquire new domains and certificates and provide them to OutSystems.


OutSystems will provide a grace period, during which you can  still generate an app if a specific extensibility configuration is added. The purpose is to give you time to adapt to the new requirements and acquire the necessary assets. This grace period ends on September 30th.


 The following extensibility configuration can be added to a Mobile app:

{

    "preferences": {

        "global": [{

            "name": "BypassOSDomainsValidation",

            "value": "true"

        }]

    }

}

For more information, see Customize your mobile app


Thank you, 

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.