IBM MobileFirst certificate pinning best practices

2019-04-29 06:14发布

问题:

We are developing an IBM MobileFirst 7.1 Hybrid mobile application, and planning to use the certificate pinning feature.

We can find information on IBM website about the SSL certificate pinning on IBM MobileFirst website : Here is a post in the IBM Knowledge Center and Here is a tutorial and its sample project/code

All these resources are great, but I have some questions :

  • Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?
  • If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?
  • Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?
  • In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?
  • What happen when the SSL certificate is revoked ?
  • What happen when the SSL certificate is expired ?
  • What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?

Please advice

回答1:

Are there any advantages to use native certificate pinning implementation for Android and iOS when my application is a hybrid application ?

You can always write your own code that does the pinning, or use 3rd party Cordova plug-ins. But none of those assure you the level of support you get by using the provided functionality. Note that you are then limited to the functionality provided (for example, certificate pinning by MobileFirst is restricted to a single destination host and not multiple).

If I use the hybrid environment code, will the SSL certificate be included in the wlapp, and then can be updated using direct update ?

You need to have the certificate in both the client and the server. You do not need to use Direct Update to update the certificate on the client.

The way it works is that you need to only update the certificate on the server, but you must maintain the same public key in case you do update it

Does the hybrid implementation of certificate pinning work on WindowsPhone 8 (Hybrid app for Silverlight environment) ?

As mentioned in the documentation, certificate pinning supports only: "native iOS, native Android, and hybrid iOS or hybrid Android"

In the tutorial video, I have seen that when SSL pinning is ON, and we call a URL outside our server (google for example) it will fail. Does this mean google maps will fail loading if I enable certificate pinning ?

The pinning relates only to requests that are bound to the MobileFirst Server and not to other services.

What happen when the SSL certificate is revoked ?

Requests that are bound to the MobileFirst Server will fail.

What happen when the SSL certificate is expired ?

Requests that are bound to the MobileFirst Server will fail.

What is the best SSL renewal strategy to keep certificate pinning working and the application up while updating our server SSL certificate ?

Because you only need to update the certificat eon the server, you only need to make sure to keep using the same public key as before.