[SSL Pinning Plugin] SSL Pinning does not work
Question
ssl-pinning-plugin
Forge component by Platform Maintenace
Application Type
Mobile

Using the current version 6.0.1, and building with MABS 7.0. Tests below were done on Android 8, SG7 Edge

Our app is currently using <something>.outsystemsenterprise.com, and the full domain is entered in pinning.json, no wildcards, and the current fingerprint is U6vSutzZQ4RuSJwV2i0vUO6qtGcX5vGltvpGnNd5BEg=

To test whether it works...

  1. I completely removed the dev environment's domain from pinning.json, so that the domain and fingerprints for the dev environment are missing from the file. 
  2. Updated pinning.json into the application module, and publish
  3. rebuild the application
  4. Removed/deleted the old version of the app on the phone to be sure
  5. Download the application to the phone
  6. Use Chrome USB remote debugging to inspect network requests, it still connects to the domain, and everything works fine.
  7. Download the application to PC, use APKtool to extract the pinning.json file
  8. I confirm that pinning.json DOES NOT have the domain that the app is connecting to. 

Another test:

  1. I re-added the domain eg. "client-dev.outsystemsenterprise.com", with fake hashes e.g. "aaa...", bbb..."
  2. followed the same steps above
  3. The app still works, and I confirm that the pinning.json file in the apk contains the correct domain, with the fake hashes.


According to the documentation, "Calls to server actions stop working if there's a hash mismatch." 

This doesn't seem to be the case.

mvp_badge
MVP
Solution

Hi  Jonathan,

If you are still facing the issue you have reported, please check if these instructions are applicable to your case

SSL Pinning communication - OutSystems Community | OutSystems 


regards

Fabio

mvp_badge
MVP

Hi Jonathan,

Please be aware of the important notice in the official OutSystems documentation related to using OutSystems provided certificates. OutSystems no longer supports the generation of the native mobile apps when using SSL Pinning to pin your apps to OutSystems managed certificates.  

https://success.outsystems.com/Documentation/11/Extensibility_and_Integration/Mobile_Plugins/SSL_Pinning_Plugin#Important_note_about_certificates

Regards,

Daniel

Hi,

This is relevant information that should be in the plugin details.


Best Regards,

Bruno F. Cantante

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.