How to use a pre-installed client certificate on iOS

[brodycj]

A major client received a requirement to support using a pre-installed client certificate (p12 certificate) on iOS, in a similar fashion to using a pre-installed client certificate on Android. It is desired to install the p12 certificate onsite, using MDM (Mobile Device Management), for example. While it would be possible to install the client certificate file with p12 and myp12 extensions via email, the client would like to avoid this kind of distribution if possible.

It would be ideal if the application could read and use a p12 certificate from the iOS keychain, just like it is possible on Android. Unfortunately we think this is not possible and a workaround solution is needed. Quoting from [1]:

An app can access only its own keychain items, or those shared with a group to which the app belongs. It can't manage the keychain container itself.

Here is the workaround solution that I proposed to the client, which does not require any code changes on the plugin:

• configure the server with client certificate authentication as follows:
  • a desktop or mobile web client can use a p12 client certificate to access the server
  • iOS mobile web client can then download the client certificate file with “myp12” extension, upon successful authentication
• install the p12 client certificate on the iOS device (this can be done onsite, using the MDM for example)
• the user would use the p12 client certificate on iOS to read the myp12 certificate file from the server, click on the myp12 file, and then and open that file with the Cordova application
• then the Cordova application can proceed to use the client certificate to access the server

This workaround solution would work very differently from using a pre-installed client certificate on Android. I would like to get this workaround solution tested and documented.

Any other ideas from the user community would be highly appreciated.

Note that this description has been edited to clarify the background and proposed workaround solution.

[1] https://developer.apple.com/documentation/security/keychain_services/keychains

[brodycj]

My client send me some feedback that they received on the proposed workaround solution. I gather that the end customer would like to achieve improved consistency with Android.

The idea from the end customer is that in case the iOS client app is not authenticated, it should be able to present “a list of the client certificates that have been installed via myp12 files”. The user should be able to choose which certificate to use for authentication. (I think it would be ideal to use something like cordova-plugin-dialogs or EddyVerbruggen/cordova-plugin-actionsheet to show a native dialog, for the sake of improved consistency with Android.)

I think this idea should be technically feasible but would not be straightforward. I would have to do some testing to be 100% sure. I would estimate the impact on my other work to be 4-8 weeks at this point, assuming that I am not mistaken about the feasibility.

I am personally not convinced that this idea would really be worth implementing. I think it would add to the complexity of both the implementation and the user experience. Another idea for iOS could be to just present a confirmation dialog to ask or not the user wants to use the most recently myp12 certificate for authentication.

Any other ideas from the user community would be highly appreciated.

P.S. They would also like the user to be able to delete any installed client certificates on iOS. I think the primary motivation would be expired certificates, as discussed in #8 for Android. I personally think the best solution for iOS would be to simply install and use any new or updated certificates from myp12 files, as needed.