Fetch is successfull with wrong pins

approov / react-native-cert-pinner

Strengthens TLS in React Native through Certificate Pinning

https://blog.approov.io/tag/reactnative

Apache License 2.0

96 stars 41 forks source link

Fetch is successfull with wrong pins #5

Closed mikaoelitiana closed 5 years ago

mikaoelitiana commented 5 years ago

I have installed the module as described and configured my pins with a given domain. Now if I set wrong pins for the domain and generate the pinset then rebuild the app, my calls to the domain are still successfull. Am I missing anything?

Here is my configuration :

Environment:
  OS: macOS 10.14.1
  Node: 9.11.2
  Yarn: 1.10.1
  npm: 6.4.1
  Watchman: 4.9.0
  Xcode: Xcode 10.1 Build version 10B61
  Android Studio: 3.1 AI-173.4907809

Packages: (wanted => installed)
  react: 16.3.1 => 16.3.1
  react-native: 0.55.3 => 0.55.3

mikaoelitiana commented 5 years ago

I finally found out that the issue happens only when debugging js remotely. When I am not debugging JS, everything is working fine.

dusandz commented 5 years ago

Still works with wrong pins for me on IOS, both in debug mode and in prod (installed through TestFlight).

ajulien42 commented 5 years ago

Hey, I had the same issue, I just had to install it manually and it worked fine (if your podfile is a mess you can use carthage btw ). Also TrustKit absolutely need 2 certificates by domain to work.

dusandz commented 5 years ago

I also (eventually) made it work, but for the life of me I can't recall what I did to beat it into submission. After all the installing, debugging and rolling back, I probably effectively did the same thing you did. Oh, and I also tripped on "minimum 2 certs per domain" rule, even though the docs strongly advise not to use only one hash 😄