Is it possible to link e.g. libcurl to an iphone app in order to have complete control over https certificates? Or will they typically flag this during review? Is this also a possible way to bypass application transport security? Are iphone apps even allowed to make tcp connections to port 443?
We use our own root certificate (expired though) for the APIs of our product and don't have a central server. All our clients do the necessary checks to never accept any other certificate than the ones signed by us. We want our iphone app to connect directly to our product (deployed at customers) and the product uses our certificates and cannot use tls 1.2 for the next years. Therefore we also want to bypass the strict requirement of application transport security to use tls 1.2.
Related
I do not know is it correct way or not but I am trying to get certificate from macos keychain and use it on flutter httpclient to establish a Certificate based connection. I just wonder is it possible or not.
For now i can get the certificate with native code with and i am returning the data:
var certificate: SecCertificate?
SecIdentityCopyCertificate(identityNotNil, &certificate)
let data = SecCertificateCopyData(certificate!)
then i try to use it like inside flutter:
SecurityContext context = SecurityContext.defaultContext
..useCertificateChain(certificateByteArray, password: 'password');
var _client = HttpClient(context: context);
but i am getting error about bad certificate. Maybe there is a way to reach keychain directly from flutter.
Thank you.
To be more specific, i am trying to use a certificate like :
https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_certificate-based_connection_to_apns
I assume that your question relates to flutter web - not a standalone Mac OS application? Then I can think of the following scenarios:
Use client certificates to establish an SSL based secure transport layer with certificate based authentication.
Use client certificates to exchange encrypted messages with encryption done by the application (both client and server) or use client certificates on the application layer for Authentication only.
Scenario 1: SSL with client certificates
In flutter web, HTTP Connections are only supported via XMLHttpRequest - the underlying JavaScript Object - under the hood flutter web code is transformed into JavaScript code. XMLHTTPRequest does NOT support any Client Certificates.
But you can configure the Browser to use client certificates when connecting to a WebServer via SSL - this would be fully transparent to the flutter web app. All modern browsers support client certificates and do access the MacOS keychain.
Of course, the server need to support SSL with client certificates. E.g. if you want to use client certificates in order to authenticate to a Spring Application based on SSL client certificates, this is described here:
Spring Security - Pre-Authentication Scenarios
Scenario 2: Application layer encryption/authentication
This is a very unusual scenario, as web applications usually rely on SSL for many good reasons: No coding is required and its pretty secure. But of course, it is technically feasible to implement encryption of all messages exchanged with the server on your own.
Letting aside the pure coding work (encryption libraries also exist for flutter), the key problem is to get the certificate and the private key into the application. Loading the certificate from the server without prior authentication (like the web app itself or all assets) would be a major security flaw, because then an attacker could also easily download the certificate/private key.
The only secure way I can think of, is to obtain the certificate and private key form the client computer. Unfortunately, a flutter web app - like every JavaScript app - is running in a Sandbox within a Browser, which puts major constraints on the application - for good Browser security reasons. Due to this sandbox, the flutter web app CANNOT access the Mac OS keychain directly.
But you can let the user pick a file with the certificate and private key. This is described here:
How to Pick files and Images for upload with flutter web
Trying to investigate private APIs on apps installed on my Android, I've noticed most modern apps use custom client certificate meaning with the trusted root certificate installed on the Android, Charles still cannot monitor the traffic because the server would reject the handshake from Charles. I imagine either I will need a different tool for the traffic monitoring or I will need to direct Charles to use some custom certificate file embedded in the app itself.
You need that certificate file at hand (I don't know if and how you can extract it from application).
You also need to know the passphrase (password) for that certificate. Charles will ask it when you connect to selected host for 1st time.
Then just use latest Charles (tested on version 4.2.1) menu Proxy -> SSL Proxying Settings, tab Client Certificates and add certificate (PKCS#12 key file) for selected host and port.
I have a gadget[*] that connects to the user's WiFi network and responds to commands over a simple REST interface. The user uses a web app to control this gadget. The web app is currently served over http and the app's javascript does AJAX calls to the gadget's local IP address to control it. This scheme works well and I have no issues with it.
[*] By "gadget" I mean an actual, physical IoT device that the user buys and installs within their home, and configures to connect to their home WiFi network
Now, I want to serve this web app over https. I have no issue setting up https on the hosting side. The problem is, now the browser blocks access to the gadget (since the gadget's REST API is over http and not https).
The obvious solution is to have the gadget serve it's REST API over https. But how? It has a local IP address and no one will issue a certificate for it. (Even if they did, I'd have to buy a boatload of certificates for each possible local IP address.) I could round-trip via the cloud (by adding additional logic on my server side to accept commands from the web app and forward it to the gadget over another connection), but this will increase latencies.
Is there a way around this problem? One possibility that I have in mind is to:
Get a wildcard certificate (say, *.mydomain.com)
Run my own DNS that maps sub-domains to a local IP address following a pattern (For example, 192-168-1-123.mydomain.com would map to 192.168.1.123)
Use the wild-card certificate in all the gadgets
My web app could then make AJAX calls to https://192-168-1-123.mydomain.com instead of http://192.168.1.123 and latencies would remain unaffected aside from the initial DNS lookup
Would this work? It's an expensive experiment to try out (wildcard certificates cost ~$200) and running a DNS server seems like a lot of work. Plus I find myself under-qualified to think through the security implications.
Perhaps there's already a service out there that solves this problem?
While this is a pretty old question, it is still nothing that you find out-of-the-box solutions for today.
Just as #Jaffa-the-cake posted in a comment, you can lean on how Plex did it, which Filippo Valsorda explained in his blog:
https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/
This is very similar to what you proposed yourself. You don't even need a wildcard certificate, but you can generate certificates on-the-fly using Let's Encrypt. (You can still use wildcard certificates, if you want, which Let's Encrypt supports now, too.)
Just yesterday I did a manual proof-of-concept for that workflow, that can be automated with the following steps:
Write a Web Service that can create DNS entries for individual devices dynamically and generate matching certificates via Let's Encrypt - this is pretty easy using certbot and e.g. Google Cloud DNS. I guess Azure, AWS and others have similar offerings, too. When you use certbot's DNS plugins, you don't even need to have an actual web server running on port 80/443.
On you local device, contact that Web Service to generate a unique DNS entry (e.g. ..yourdns.com) and certificate for that domain
Use that certificate in your local HTTPS server
Browse to that domain instead of your local IP
Now you will have a HTTPS connection to your local server, using a local IP, but a publicly resolved DNS entry.
The downside is that this does not work offline from arbitrary clients. And you need to think of a good security concept to create trust between the client that requests a DNS and certificate, and your web service that will generate those.
BTW, do you mind sharing what kind of gadget it is that you are building?
If all you want is to access the device APIs through the web browser, A Simple solution would be to proxy all the requests to the device through your web server.this was even self signed certs for the devices wont be a problem. Only problem though is that the server would have to be on the same network as your devices.
If you are not on the same network, you can write a simple browser plugin (chrome) to send the api request to IoT device. but then the dependency on the app/plugin will be clumsy.
I am implementing a push notification system for one of my apps, so I am following this tutorial and generating a SSL certificate for that.
This app of mine involves also, some exchange of data between the app and the server and I would like it to be SSL protected and I was wondering of getting a SSL certificate from verisign or other company like that.
My question is: is this SSL certificate created for push a regular SSL certificate, so in that can use it also to establish a https connection to the server (and save a couple hundred dollars to order a third party certificate)? I don't know much about SSL certificates, but I hope it can be used for that...
This will be amazing!
Since each certificate is tied to a specific domain, I'm not sure how this would work. There is a concept of wildcard certificates, but I still think they have to be for the same domain.
In your case, it sounds like you will have the Apple push certificate, which validates the connection between your server and Apple's push notification server. The other certificate would be to validate/secure the connection between your iOS app and your server. Both of these are assigned a different domain (gateway.sandbox.push.apple.com vs. yourserver.com).
One option you do have depending on how your iOS app is structured is to use a self-signed certificate between your iOS app and your server. I'm guessing the end-user will not be seeing the certificate anyway. This might be a way to save you money before deciding on a third party certificate.
The production Apple Push Notification service will begin to use a 2048-bit TLS/SSL certificate that provides a more secure connection between your provider server and the Apple Push Notification service.
Can any body explain what is this and what changes we need to make on Server/ iPhone app?
This will not affect anything on your side (as far as your SSL library supports 2048-bit keys/signatures, nearly all modern SSL client libraries do that).