Skip to content

Commit 4634740

Browse files
mkageniusmkagenius
authored
Update https.md
1 parent ef0e711 commit 4634740

File tree

1 file changed

+21
-2
lines changed

1 file changed

+21
-2
lines changed

https.md

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -68,8 +68,27 @@ To solve that problem browser like Chrome, Firefox, Safari etc. come embedded wi
6868
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
6969
```
7070

71-
### Certificate Pinning for apps
72-
#TODO
71+
### Certificate Pinning for apps (and website)
72+
#### What's this now?
73+
In general any user who has an access to the app can see all the API calls even if it HTTPS. To do that he creates a certificate authority and tells the device (Android / iOS) to trust it. Now when you connect to the server it replaces your server's certificate with the one generated `on the fly` with its certificate (own public/private `key` pair) and now he can sit in the middle and act as server for the mobile client and act as client for the server. Sneaky.
74+
75+
#### Wait! Isn't HTTPS supposed to prevent that?
76+
Yes, but HTTPS can only help you when the trusted certificate authorities are actually trust worthy. In this case, the user forced the device to a trust his own created certificate authority!
77+
78+
#### So, how do I prevent that?
79+
Certificate pinning - Basically, in your app bundle, hard code the server certificate and before doing any API call check the whether the server is really using that same hardcoded certificate or someone tried to sneak in its own certificate.
80+
81+
#### Caution
82+
* In case the certificate changes on the server side you will have to force the users to update the app else the app will stop working.
83+
* If you mess up the certificate pinning, you will have to ask users to update the app else the app will stop working.
84+
85+
#### A better way!
86+
Certificate pinning is a good way to prevent this but there is one better way to ensure no one can snoop in - use `public key pinning`. Generally sites like Google rotates its certificate so you will have to force users to update your app. Instead what you should pin in your app is the `public key` which remains static even when Google rotates its certificate hence not needing any app update. This is called `Public key Pinning`.
87+
88+
* Android and iOS sample code examples:
89+
```
90+
https://www.paypal-engineering.com/2015/10/14/key-pinning-in-mobile-applications/
91+
```
7392

7493
### Precautions for general public
7594
#TODO

0 commit comments

Comments
 (0)