How do you update expired ssl certificates if ssl pinning is used on ios apps? It seems like only an app update would enable updating the certificate but then users who don't update the app will not receive this update.
The key is to understand the possible values for AFSecurityPolicy's pinningMode.
AFSSLPinningModeCertificate means that the certificate provided by the server must match exactly one of the pinned certificates, which by default are the certificates in your app bundle. This is the mode you are currently using.
AFSSLPinningModePublicKey means that the certificate provided by the server must contain the same public key as one of the certificates pinned by your app.
If you use AFSSLPinningModePublicKey and renew (update) your server certificate with the same keypair, your iOS app will continue to work without modification.
To address the second part of the question, yes users with old versions will be locked out.
To lower the impact, a common strategy is to include the new certificate alongside the soon to be expired certificate. This gives users a few 'buffer' versions they can be on and still have access after the changeover.
Related
I have an application that performs requests to a server. The server has a certificate that is going to expire soon. My application is performing SSL pinning with certificates (not public keys).
Supposedly, they're going to renew the server certificate before it expires, but I'm not sure if that alone will suffice and my pinned certificates will still work (since the certificates are renewed, they claim those certificates will remain the same), or I have to forcefully change my certificates in the application in order to keep the pinning working.
Do I have to change my application certificates?
I've googled around, but I can't make a definitive assumption.
Thanks in advance.
If you're pinning the leaf certificate, you will need to update your app with the new leaf certificate or pinning will fail. You can ship both the old and new certificates with the app at the same time and pinning should continue to work just fine.
If you're pinning the public key or one of the branch certificates, and you can verify those items aren't changing with the new certificate, you may not need to do anything.
Ultimately it's important to find out how pinning is currently being achieved (you tagged Alamofire, so I'm assuming you're using it) and how the new cert is being generated.
I created a Self-Signed CA and trust this certificate in Settings and it's working well in iOS 12. But after I upgrade the iOS version to 13, even the certificate trusted in Setting but still can't get it to working. So how do I fix this?
Nothing is known about your certificate but it might be that it is not meeting the new requirements introduced in iOS 13. Requirements for trusted certificates in iOS 13 and macOS 10.15 describes these and these include that RSA keys must be at least 2048 bits and it is no longer possible to use SHA-1 as signature algorithm.
I Happen to try something and it actually worked, Send the self signed .cer to the iphone with another configured email. The cert will be added to the iphone cert store. And Go to general setting then find Profil. Within the option you will see the name of the cert you just added and the option to configure it. Just do that in first place. Once done. Add the Exchange email account just like any other, it will prompt with certificate error but you will the option to continue and the account will be added correctly. I tried on Iphone 11 in the Mail App with Latest IOS.
I have successfully implement SSL pinning in my application as below:
https://infinum.co/the-capsized-eight/how-to-make-your-ios-apps-more-secure-with-ssl-pinning
But in this approach, I have to placed my certificates in the app bundle on the client side. During the every request I will check or match it with server certificates in the form of NSData. It is working fine.
Problems/Queries:
Certificates which is placed in app bundle, Can easily access by anybody just extract the iPA.
Every time when server certificates changes, I have to update certificates on client also and release a new iPA.
Please correct or suggest me the best way to overcome above two problems.
Thanks in advance.
I don't have private key of APNS certificate which is being used in live app where notifications are working fine. However, I want to integrate freshchat sdk which requires APNS certificate to be uploaded on their server. Is it possible to create a new APNS certificate for this whithout affecting the previos one? SO basically I'll have two APNS certificate(prodcution) for one bundleID
Yes, you can have up to two certificates each for sandbox and production:
Assuming you only have one certificate now, you could add a second.
This time, though, back up that private key!
Both certificates can be used at the same time. You could, for example, transition your existing services to use the new certificate. Once they have all been updated you could remove the old certificate for which you have no private key.
Does the AppleWWDRCA.cer have any bearing on developing certificates using OpenSSL? If so, what? If not, what is it's use?
Edit:
I am using Windows. I do not need an answer concerning Mac development.
So far, using OpenSSL, I have created development apps (signed, and with certificates), ad hoc apps for multiple developers (signed, and with certificates), and they all have worked just fine. This is (probably) only a question about whether it is needed to put an app in Apple's App Store.
No, the WWDR Certificate is only used to authorize your app for selling/integrating on the Apple App Store.
Public OpenSSL certificates are (generally) given to your application from an outside Certificate Authority and used by your users to authenticate (prove that your application is indeed what it claims to be) your application and encrypt the data they send in a SSL connection. These can be generated entirely independently of your WWDR certificate.