react-native-ssl-pinning-proposal icon indicating copy to clipboard operation
react-native-ssl-pinning-proposal copied to clipboard

Published 20 hours ago verified publisher icon Kudo

Have you suggested this to react-native's official repo?

Open joonhocho opened this issue 8 years ago • 7 comments

joonhocho avatar Aug 02 '16 06:08 joonhocho

There were some comments in https://twitter.com/kudochien/status/684218643576561664. And it is actually why this repo existed. Unfortunately, the core team don't have any updates yet.

Kudo avatar Aug 02 '16 09:08 Kudo

HI @Kudo, I would like to ask, what's the current status of this feature in react-native. Have you been in contact with core team or so? Is it real, that this feature will be supported in near future? Or is there a way to do this manually? Thanks

johnygomez avatar Sep 20 '16 14:09 johnygomez

@Kudo are there any updates?

amrdraz avatar Oct 06 '16 16:10 amrdraz

@KudoI @johnygomez @joonhocho implemented certificate pinning for both android and ios in my app, see answer here

I wound up using OkHttpClientProvider in RN and a pod called TrustKit for IOS, while hard coding the public keys in the native code

amrdraz avatar Oct 30 '16 22:10 amrdraz

@amrdraz I've read your stakoverflow document and it seemed a bit complex for us to adapt. Are there any alternatives that we could follow to implement certificate pinning in our ReactNative app? It's been a couple of months since you wrote your last comment.

@Kudo do you have any updates?

I've came across react-native-pinch. What do you think about that?

tanapaydin avatar Feb 14 '17 08:02 tanapaydin

@tanapaydin I am not working on React Native for a while and sorry does not have any updates. After looking into react-native-pinch, it is pretty good and seems to be the only one solution in the mean time. Nice job @localz

Here just to describe why I mentioned signedsource.verify_signature() in my proposal. As I want to keep convenience that setup the pinning in JavaScript (instead of in binary), to protect if JavaScript been overwrite to disable or replace the pinning certificate, I propose to do digital signature verification for JavaScript bundle. That is to check your JavaScript does not being overwrite unexpectedly.

Kudo avatar Feb 15 '17 00:02 Kudo

@tanapaydin I have not checked out react-native-pinch but if your wondering if my SO answer still works it does I recently upgraded the app to 0.42

That said TrustKit the very convenient plugin I had used for IOS seems to have also become available for android as well in the time since my post, so may be more convenient to just use it.

These are my updates best of luck

amrdraz avatar Apr 26 '17 06:04 amrdraz