As a user I want to be able to use the Mobile Application even when the SSL certificate has been changed without the need to update the mobile application on my device
ACs
[x] The app should be able to get the SSL Fingerprint Trusted-List in the splash screen
[ ] The app should be able to get the new SSL Fingerprint Trusted-List (TBD)
[ ] While using the application
[ ] This option provides seamless user experience where the SSL Fingerprint Trusted-List is replaced without user interaction, similar to the OAuth2 procedure of refreshing the authentication tokens
[ ] This should work fine for API requests of GET, PUT, PATCH methods, but POST and DELETE are risky since there's a chance for the user to submit the data to the server twice (first request -> goes through but app rejects response in case the cert fingerprint has changed -> fetch new fingerprints -> send first request again, potentially doubling whatever action the user took)
Investigate solution which includes the interceptor, but removes it for POST/DELETE, keeping the user experience in mind
[ ] After app restart
[ ] Once the certificate is installed the user should be redirected to the splash screen with a user friendly message that for security reasons the app should be restarted (most likely through a maintenance mode)
[ ] This option will be easier to be implemented
[x] The app should be able to decrypt the SSL Fingerprint Trusted-List
[x] Once the SSL Fingerprint Trusted-List is decrypted an SSL HTTP Interceptor should be added to ensure the man-in-the-middle is prevented (moved to Dio validateCertificate callback approach which validates on response)
[x] The SSL Private Key should be added to the application by using the obfuscation option from envided in the build pipeline of the CI/CD
As a user I want to be able to use the Mobile Application even when the SSL certificate has been changed without the need to update the mobile application on my device
ACs
SSL HTTP Interceptorshould be added to ensure the man-in-the-middle is prevented (moved to DiovalidateCertificate
callback approach which validates on response)References
https://pub.dev/packages/envied#obfuscationencryption