search

bamlab / react-native-app-security

Easily implement usual security measures in React Native Expo apps. Made by BAM ❤️💙💛
69 stars 3 forks source link

Clarification on the Requirement for Two Certificate Hashes in SSL Pinning #6

Closed mikenandi closed 5 months ago

mikenandi commented 6 months ago

Hi,

I noticed that the @bam.tech/react-native-app-security library requires two certificate hashes for SSL pinning, as shown in the example configuration below:

"@bam.tech/react-native-app-security": {
  "sslPinning": {
    "yahoo.com": [
      "TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
      "rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="
    ]
  }
}

Could you please provide some clarification on why two certificate hashes are required for each pinned hostname? What specific security benefits or use cases does this approach address?

Additionally, are there any guidelines or best practices recommended for providing multiple hashes?

Thank you for your assistance.

matthieugicquel commented 5 months ago

Hi,

The lib we're using to implement pinning on iOS (TrustKit), requires 2 hashes, and provides an explanation here. To sum up: always have a backup pin, to avoid locking your users out.

I guess you could always put something random as the second pin, but that's not recommended :)

Thanks for the feedback, I'll update the README to add an explanation!