Certificate pinning

The SDK provides functionality to pin your servers certificate. Please note, if you pin the servers certificate itself you will need to deploy a new version of the application when you change the servers certificate. The best alternative is to use the intermediate certificate of the Certificate Authority used to get your SSL servers certificate (the second level in the certificate chain). This gives you the option to renew the server certificate without having to deploy a new version of the application.

Manual Certificate Pinning

Export the certificate

You can use Firefox to export the certificate. Click on the lock of the SSL website. Choose: more information. In the security tab press View certificate. Then go to the details tab. And there you can choose which certificate in the chain you wish to export.

Add the certificate to the bundle

Add the intermediate certificate encoded in DER format with a .cer file extension to the App workspace.

Certificate tampering protection

As the certificate is stored on the file system of the device, theoretically it is possible to change the certificate on the device. To prevent tampering or at least detect if a certificate is replaced by a different one, the certificate is also provided to the client in base64 format. To obtain base64 encoded certificate the DER encoded certificate must be converted to PEM format with the following command:

openssl x509 -in <filename>.cer -inform der -out <filename>.pem -outform pem

The content of the.pem file is an armored base64 representation of the certificate. The content of the file stripped from its armor (---Begin--- and ---End--- rows) must be provided to the client before a service request is made. Best practice is to add the base64 encoded certificate to the client during initialization using ONGClientBuilder.

NSString *const certificate = @"AaXeRCk/luuGtm87fM04wO+mPZn+C+mv626PAcwDj1hKvTfIPWhRRH224hoFiB85ccsJP81cqcdnUl4XmGFO3";
ONGClientBuilder *clientBuilder = [[ONGClientBuilder alloc] init];
self.oneginiClient = [[[clientBuilder setConfigModel:configModel] setX509PEMCertificates:@[certificate]] build];

Automated Certificate Pinning

Certificate Pinning can be done automatically as a part of the process done by SDK Configurator. In this case calling - (void)setX509PEMCertificates:(NSArray *)certificates method is not required. ONGClientBuilder automatically finds OneginiConfigModel in order to configure certificates correctly.

ONGClientBuilder *clientBuilder = [[ONGClientBuilder alloc] init];
self.oneginiClient = [clientBuilder build];