When we are connecting to AWS IoT using wss protocol on ios version 12.1.1, we were able to connect to IoT successfully, but immediately we could see onError event being triggered from IoT and then the connection gets closed. It tries to reconnect again but without any luck. The error we are getting from IoT is "{IsTrusted : true}".
We are not using any certificates, just using a profile access key and secret key.
The same build is able to connect properly on ios 12.0.1, 12.1
IOS version:12.1.1(Not working version)
AWS IOT SDK:2.0.0
iOS 12.1.1 introduced Apple's new Certificate Transparency policy. From Apple's release notes:
iOS 12.1.1 requires that publicly-trusted Transport Layer Security (TLS) server authentication certificates issued after October 15, 2018 meet the Certificate Transparency policy to be evaluated as trusted on Apple platforms.
This policy is becoming a widespread standard which Google already enforces in its Chrome browser. Amazon knew this was coming and, in response to these new policies, released updates to their MQTT backend (AWS IoT) to include appropriate certification on a new endpoint. See https://aws.amazon.com/blogs/iot/aws-iot-core-ats-endpoints/:
You must explicitly request an Amazon Trust Services endpoint for each region in your account. Any existing customer endpoint you have is most likely a VeriSign endpoint. If your endpoint has “-ats” at the end of the first subdomain, then it is an Amazon Trust Services endpoint. For example, ‘asdfasdf-ats.iot.us-east-2.amazonaws.com’ is an ATS endpoint.
In short, for my iOS App, we were using our AWS provided MQTT endpoint asdfasdf.iot.us-east-2.amazonaws.com (just an example), without the -ats. I updated the endpoint to asdfasdf-ats.iot.us-east-2.amazonaws.com and we were able to accomplish our SSL handshake.
I hope this helps with your issue! Good Luck!
Related
I'm trying to automate the Application Proxy configuration. I can create applications, and service principals and configure permission. But I can't find a way to configure the app proxy. I found this page https://learn.microsoft.com/en-us/graph/application-proxy-configure-api?tabs=http but it uses the beta version.
Are there any endpoints in the Graph API in the release version that I can use to configure app proxy or when is MS going to release the beta version?
As I can see the Azure portal uses the https://main.iam.ad.ext.azure.com/api API to configure the app proxy. Can I use this API in my automated process? If so, how can I obtain a token for this API?
I found that I can obtain a token using az account get-access-token --subscription $subscription --resource 74658136-14ec-4630-ad9b-26e160ff0fc6 but it doesn't work for me because I have to use oauth authorization-code-flow. Is there any chance to use this https://main.iam.ad.ext.azure.com/api API?
I found following endpoint as well but still I'm not going to pass the client username and password through my APP.
POST https://login.microsoftonline.com/{{tenatId}}/oauth2/token
resource:74658136-14ec-4630-ad9b-26e160ff0fc6
grant_type:password
username:{{username}}
password:{{password}}
Postman Request
Connected question
As mentioned in the document as the Application Proxy configuration is only supported in Beta version, you could a feature for the same for this feature to be available in the V1 release as well.
Raise a feature request here:https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/idb-p/Microsoft365DeveloperPlatform
I created a simple .NET Core Console application on C# which uses TcpListener to accept connections on a specific port and return an answer.
I bought an AWS Lightsail instance and deploy my server application manually via RDP. The instance has a static IP-address and a domain name like ec2-<IP>.eu-central-1.compute.amazonaws.com (as I discovered via reverse DNS lookup). The client is an iOS application and it needs a secure TCP connection to transfer data to server and vice versa. iOS app is not working with my self-signed certificate - it needs to use certificate from trusted CA, so the question is: where I can get the trusted SSL-certificate for Amazon Lightsail instance mentioned above?
I created a package to help with sockets and iOS using Obj-C. Also included is a very good resource for creating a certificate that will work. You will actually probably need to create a certificate authority, and intermediate certificate authority, and server/client certificates, check out the link:
https://github.com/eamonwhiter73/IOSObjCWebSockets/tree/master
TL;DR version: Is there any way to pass a Server certificate to an iOS client that doesn't involve also passing along the Server's private key?
I have written an iOS client app that communicates with my macOS server app (so I have control over both ends). I have implemented certificate pinning using a self-signed certificate to make things more secure. To accomplish this during development, I hardcoded the Server cert into the iOS client app and told the client to only connect to a server that gives you that exact cert during the TLS handshake. Everything is working great.
However in the real world I am selling this system as a set (1 Server, multiple clients to each customer), so I cannot hardcode a Server cert into the iOS client. My plan is to instead deliver the Server cert out of band (via email) to the iOS client like mentioned here: Making Certificates and Keys Available To Your App:
Apps can only access keychain items in their own keychain access groups.
To use digital identities in your own apps, you will need to write code to import them. This typically means reading in a PKCS#12-formatted blob and then importing the contents of the blob into the app's keychain using the function SecPKCS12Import
One way to provision an identity is via email. When you provision a device, send the associated user an email with their client identity attached as a PKCS#12 file.
My problem is that a .p12 file contains the certificate and the private key of the server - this seems very wrong to pass the private key along as well.
Is there any other way to pass the Server certificate to the iOS client that doesn't involve also passing along the Server's private key?
Thanks!!!
I was overthinking things here, the solution is actually pretty simple.
I just needed to email the Server's public certificate out of band to the client device with a custom extension like cert.myCustomExt1234. This is because the .crt extension is already claimed by iOS so you have to register your app to handle custom extensions (see apple docs here). Then in my app I can do all the logic of cert pinning using that out of band delivered Server public cert.
The key was changing the file extension to something not already claimed by iOS.
How do I install a certified TLS certificate on an iOS app?
I assume there also needs to be the ability to send a new certificate over the network to the app in the future, if need be, and how exactly would that work?
I assume once it's installed that Apple will handle the entire handshake process of the device side?
Had some trouble finding explicit answers to these questions online.
Assuming that what you are describing is a signed SSL certificate for your domain name, the only thing you will need to do is install it on your web server. When your application makes a request to your web server, the server will send the certificate to the client during the initial HTTPS handshake, and the client will verify it automatically.
I want to create a iOS app, and I am starting to design a api using node.js+mongodb+express. I know people can use charles to set up a proxy and when user open the app in the iphone device, they can see the api requests in charles app. So people can use this api to do some harm to the app services or what. I want to secure my api. I won't open my api to others. So, I don't need oauth. What else I can do to secure my api? And if any tutorial is provided, that will be good.
Do it with https, just make sure your app stops working if the certificate is invalid.
Alternative:
Crypt/decrypt your http(s)-body before sending/after receiving with a global password (not recommended) or a public key on your phone and a private key on your application.
If someone gets that pw or public key, they can still manipulate the API.
What you want to do is use https with additional security.
First: In the app "pin" the server certificate, that is validate the server certificate in the app, this is quite common these days. AFNetworking supports this.
Second: Add a certificate to the app and verify it on the server. Now the server knows it is communication with your app.
Now both the server and app have assurance they are communication with authenticated end points.