ssl-pinning-android icon indicating copy to clipboard operation
ssl-pinning-android copied to clipboard

Published 20 hours ago verified publisher icon wultra

periodicUpdateIntervalMillis unexpected behavior

Open fmestre01 opened this issue 2 years ago • 3 comments

Hello, how are you? we are integrating the wultra component in one of our apps but we are having doubts about updating certificates. The "periodicUpdateIntervalMillis" parameter is apparently not working. How can we guarantee that whenever the certificate is renewed on the server (.json) the component will read it please.

fmestre01 avatar May 24 '22 15:05 fmestre01

Hello @fmestre01, thank you for reporting the issue! After a quick analysis and brief understanding of the problem, I can suggest the following:

  • Consider using the Mobile Utility Server component instead of static a JSON file. It allows easier deployment and certificate fingerprint management, and the signatures provided by this active component are better, since we sign entire JSON payload instead of just individual records.
  • To enforce certificate update in the app, consider using UpdateMode.FORCED when updating the certStore data. This will always download a new set of certificates from the server. For banking apps, this would be our recommendation anyway - the overhead is relatively small and I believe the security improvement of the strict certificate verification is worth the additional call.
  • Implement Global Validation Observer and add it to the CertStore. This way, you will learn about certificate failures that happen during the app lifetime and you will be able to update the CertStore on first failure.

Also, please do not hesitate to schedule a technical call with us to discuss implementation details - we will be happy to advice with implementation:

  • https://calendly.com/wultra/e-meeting

petrdvorak avatar May 24 '22 15:05 petrdvorak

thanks for the quick response. we will review suggestions and comments.

fmestre01 avatar May 24 '22 15:05 fmestre01

@fmestre01 Absolutely! Let me know if I could help with anything. :-)

Also, I understand that setting up components like ours without any assistance can be difficult and consume time. Besides scheduling a call with us as I suggested earlier, we can invite you in our Slack/Teams channel to provide faster ad-hoc consulting over chat. If this is interesting, please reach out to me at [email protected]...

petrdvorak avatar May 24 '22 16:05 petrdvorak

There was no followup to this issue, I assume that the issue was either resolved or abandoned.

petrdvorak avatar Jun 28 '23 11:06 petrdvorak