We are developing an IBM MobileFirst 7.1 Hybrid mobile application, and planning to use the certificate pinning feature.
We can find information on IBM website about the SSL certificate pinning on IBM MobileFirst website : Here is a post in the IBM Knowledge Center and Here is a tutorial and its sample project/code
All these resources are great, but I have some questions :
Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?
If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?
Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?
In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?
What happen when the SSL certificate is revoked ?
What happen when the SSL certificate is expired ?
What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?
Please advice
Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?
You can always write your own code that does the pinning, or use 3rd party Cordova plug-ins. But none of those assure you the level of support you get by using the provided functionality. Note that you are then limited to the functionality provided (for example, certificate pinning by MobileFirst is restricted to a single destination host and not multiple).
If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?
You need to have the certificate in both the client and the server. You do not need to use Direct Update to update the certificate on the client.
The way it works is that you need to only update the certificate on the server, but you must maintain the same public key in case you do update it
Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?
As mentioned in the documentation, certificate pinning supports only: "native iOS, native Android, and hybrid iOS or hybrid Android"
In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?
The pinning relates only to requests that are bound to the MobileFirst Server and not to other services.
What happen when the SSL certificate is revoked ?
Requests that are bound to the MobileFirst Server will fail.
What happen when the SSL certificate is expired ?
Requests that are bound to the MobileFirst Server will fail.
What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?
Because you only need to update the certificat eon the server, you only need to make sure to keep using the same public key as before.
Related
I've read from here and here that every IoT Edge device in production needs a device certificate authority (CA) certificate installed on it. Otherwise the IoT Edge runtime will install a temporary certificate lasting 90 days, at the end of which the runtime must be restarted.
Since I've a lot of different edge devices to manage and it's unfeasible to do manual operations such as moving certificates inside each provisioned device and modifying manually the config.yaml file of the edge runtime, what can be done in order to proper set up production certificates automatically?
You need to provide the "production certificates" as explained here: Manage device certificates - Azure IoT Edge. If you have own CA, you can create the certificates and assign to the devices, if not, you will need to opt between use commercial certificates (initially recommended for production environments) or use self signed certificates. Currently there is an effort towards having a managed service (within DPS) to provide the certificate management, but is currently under development
To mention that either using commercial certificates or self-signed ones, you will need to take care of certificate rotation before the expiration (if using self-signed certs, you need to take care of the emission and custody).
We have a legacy fingerprint authentication service, some other systems use it to identify users. This system uses a ActiveX with a fingerprint scan device, it can be used in desktop applications or web application, not mobile built-in fingerprint support.
How can I integrate this service with keycloak ? what are the basic steps ?
How can I detect certificate errors when attempting to access web content hosted on a HTTPS site with a certificate that would generate browser certificate errors or warnings?
It seems that currently the framework does not even send the HTTP request if the communication channel is not secure (i.e. if SSL is not enforced properly [e.g the validation of the certificate’s chain of trust fails])?
Similarly, what would be the best way to enforce certificate pinning?
Cheers
You can write your own PhoneGap Plugin based on the following SO question:
How to pin the Public key of a certificate on iOS
Here's some background on Pinning from the OWASP:
Pinning Cheat Sheet
If you end up writing the plugin, let me know as I'm interested too.
check out this post, which includes a PhoneGap (Build) plugin for certificate pinning, by comparing the server certificate fingerprint with an expected value: http://www.x-services.nl/certificate-pinning-plugin-for-phonegap-to-prevent-man-in-the-middle-attacks/734
I gather that most developers (except perhaps for larger companies) use self-signed certificates to sign their apk. Since this is required for app installation, the ability to sign your app is available to anyone. Fairly simple to use keytool and jarsigner from Java SDK. However these self-signed certs and associated private keys do NOT guarantee any degree of security unless you can somehow match that certificate with someone you actually trust. There is no ability to revocate these self-signed certificates (no CRL) and there is no "issuer" (since the certs are almost always self-signed) who "vouches" in some way for the identity of the certificate/key holder who signs the code.
So does Andriod platform have or plan to have any ability to prevent installation of apps SIGNED WITH A PARTICULAR SIGNATURE? or to enable settings only allowing installation of apps signed by a cert/key issued by a list of trusted CA (certificate-authorities/issuers) ?
However, there is some security available: In settings/Security you can prevent installation of anything (even signed and manually copied to your SIM) unless it comes from the Play Store, the default setting. Also you might be able to install a User certificate and ONLY allow apps signed by that cert to install (even if from the Play Store?).
I dont think the purpose of these certificates is to ensure an identity as a normal certificate signed by a CA would. As it seems to me the purpose of the certificates is just to have an extra security factor to ensure that the person that published the app for the first time is the one that publishes updates.
Without this someone that hacks your google account would be able to publish malicious updates to you entire user base.
So I would say its basically a two-factor authentication for publishing.
this is mostly a deployement than a programming question.
If I were to buy an SSL certificate from a CA, would I be able to use it to sign other applications (such as symbian, android, iphone ones)?
You need to get two different certificates. One to secure a server (https) and one to sign code. You can compare code signing certificates here
Server certificates (those that you'd use to enable HTTPS on a web server) are rarely enabled for code signing. I haven't looked at every CA in the world, and there probably are exceptions, but the more "legit" a CA is, the less likely they are to issue one certificate for both applications. In the end, I wouldn't expect to use the same certificate for both.
There is a better chance that a single code-signing certificate is accepted by most platforms. The developer documentation of each platform should list what CA certificates are built-in as trusted roots. In addition, most platforms will allow a user to view and modify the list.
You need to buy a certificate that is specifically authorized for code singing. In other words, the certificate must have the Extended Key Usage (EKU) for Code signing. Object ID (OID) for code signing can be found here
Most commercial CA's should be able to tell you which of their certificates have this.