Enhanced Cordova App Security with SSL Certificate Pinning

Erisu
Erisu
May 23, 2017 · 4 min read

A simple static application has fewer security concerns compared to a dynamic application that requires an internet connection. An example concern, that a developer might have with either a static or dynamic application is how to prevent non-authorized users from copying or reading the source code. This can easily be resolved by encrypting to the application content.

More security concerns appear when an internet connection is established for fetch data. This connection can put a user or application at risk. The biggest concerns, either hybrid or native development, is the data integrity. Did the data come from the originated source? Has the data been tampered with before reaching the app? This commonly known as a man in the middle attack.

Requirements

  • A Monaca account with a plan that supports Custom Cordova plugin.
  • Existing knowledge on how to build custom Monaca Debugger.

The first step to address this concern is to make sure that all endpoint URLs are using HTTPS/SSL. This will ensure that the data being transported between the server and app is encrypted.

Cordova does not support true certificate pinning. The main barrier to this is a lack of native APIs in Android for intercepting SSL connections to perform the check of the server’s certificate.

The second step is to implement a way to for checking the certificate fingerprint validity. This step is known as certificate pinning. There are Cordova plugins available to help achieve this by checking the server’s public key fingerprint or certificate.

One of the plugin we will be looking at and setting up is the SSLCertificateChecker-PhoneGap-Plugin plugin. This plugin will check the fingerprint of a certificate is matching.

First, we will need to add this plugin to the project by navigating to the Manage Cordova Plugin screen and click on Import Cordova Plugin.

Image for post

Next select Specify URL or Package Name, insert https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin.git and press OK

Alternatively, you can download the plugins ZIP package from GitHub and upload the package by selecting Upload Compressed ZIP Package.

Image for post

The plugin will eventually appear under the Enabled Plugin list.

Image for post

After the plugin has been added, In JavaScript, we have access to APIs necessary to validate the certificate fingerprint before making requests.

In this example, we will create an app that will have a button to fetch the last 50, most recent Monaca news and release titles.

The button will first perform a check of the API URL against the known fingerprint to determine if the URL’s certificate is valid. If the certificate is valid, then it will fetch the content.

In a script tag, we will create two variables.

The url variable will contains the target URL that we will test and make request for data. The fingerprint variable will contains the monaca.mobi public key fingerprint for testing.

Next, we will add these variables, to the plugin’s API window.plugins.sslCertificateChecker with a success and error callback.

Example Usage:

If the fingerprint is valid, the success callback is executed. This app example will perform the second request to fetch the actual data for display when the success callback is executed.

If the fingerprint is invalid, there are four possible likely outcomes.

  • The URL has a new public key with a new fingerprint.
  • The fingerprint in code was inserted incorrectly.
  • The connection to the server was lost or response timeout.
  • Possible Man in the Middle Attack.

Since this plugin will only perform pre-checks before making the official request for the response data, it will mitigate to an extent but contains some drawbacks.

Drawbacks:

  • If you are required to check on every request, this plugin would have to duplicate each request.
  • If the check occurs at a given time during the app’s lifecycle, for example start up, the connection may be secure at that give time but not always. For example: your wifi connection changes networks and your app was already started.

Some of these drawbacks could also be mitigated but the ideal case would be to test on every request and not duplicate the requests.

For the entire full source code with a working app, please see the GitHub repository. SSL Certificate Checker Demo Repo

I hope you found this tutorial helpful on improving your mobile hybrid app’s security.

The Web Tub

Pushing the web current through hybrid mobile and PWA…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store