cordova-plugin-advanced-http icon indicating copy to clipboard operation
cordova-plugin-advanced-http copied to clipboard

Published 20 hours ago verified publisher icon silkimen

Android & iOS Certificate Pinning

Open benjamin-luescher opened this issue 1 year ago • 0 comments

Android and iOS have a very simple setup for certificate pinning as described here:

  • https://developer.android.com/privacy-and-security/security-config#CertificatePinning
  • https://developer.apple.com/news/?id=g9ejcf8y

I would like to use this setup to only enable certificate pinning for certain domains. See network_security_config.xml below:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config cleartextTrafficPermitted="false"/>
  <domain-config>
    <domain includeSubdomains="true">mydomain.com</domain>
    <pin-set expiration="2024-04-27">
      <!-- my certificate hash -->
      <pin digest="SHA-256">................</pin>
      <!-- my certificate backup hash -->
      <pin digest="SHA-256">................</pin>
    </pin-set>
  </domain-config>
</network-security-config>

With this setup I do only want to have a certificate pinning for "mydomain.com". In your setup I found a certificate pinning which requires all certificates of every domain that is called from the app. A setup like above doesn't work, right? In a first step I also tried to have this XML additionally to this plugin - but it seems like this plugin overrides my XML and doesn't care about my settings.

Any help? Thanks a lot!

benjamin-luescher avatar Feb 08 '24 14:02 benjamin-luescher