Certificate pinning added to OptimizelySDKCore. OPtimizelySDKCore is set as delegate for NSURLSession (NSURLSessionDelegate). The pinning code depends on three public certificates expected to be bundled in the OPtimizelySDKCoreiOS Framework.
Another change
-- Added 3 certificate files (apiDump.cer, cdnDump.cer, logxDump.cer) to the Copy Bundle Resources phase of OPtimizelySDKCoreiOS
The "why", or other context.
As part of our security policy we need to confirm the server trust for every network call that originates from our application to prevent man in the middle attacks or spying.
Test plan
Install a charles proxy on the same network on which you will be testing an app that uses the framework.
Install a charles proxy root cert on the phone or simulator
Begin the charles proxy
Load up an app that is using the SDK and observe that the connections fail when Charles proxy is inspecting the traffic.
Remove or disable the root proxy from the test phone and rerun.
Observe that the traffic is encrypted and the connection passes.
Issues
As per the meeting between Earnin and Optimizely, we've agreed that instead of accepting our the incoming code changes, Optimizely will update OptimizelySDKCore.podspec with a bundle resources specification such as
Summary
Certificate pinning added to OptimizelySDKCore. OPtimizelySDKCore is set as delegate for NSURLSession (NSURLSessionDelegate). The pinning code depends on three public certificates expected to be bundled in the OPtimizelySDKCoreiOS Framework.
Another change -- Added 3 certificate files (apiDump.cer, cdnDump.cer, logxDump.cer) to the Copy Bundle Resources phase of OPtimizelySDKCoreiOS
The "why", or other context. As part of our security policy we need to confirm the server trust for every network call that originates from our application to prevent man in the middle attacks or spying.
Test plan
Install a charles proxy on the same network on which you will be testing an app that uses the framework. Install a charles proxy root cert on the phone or simulator Begin the charles proxy Load up an app that is using the SDK and observe that the connections fail when Charles proxy is inspecting the traffic. Remove or disable the root proxy from the test phone and rerun. Observe that the traffic is encrypted and the connection passes.
Issues
As per the meeting between Earnin and Optimizely, we've agreed that instead of accepting our the incoming code changes, Optimizely will update
OptimizelySDKCore.podspecwith a bundle resources specification such asIn addition Optimizely will add the added certificates to the Copy Bundle Phase of OptimizelySDKCoreiOS target in Xcode.
Thanks, Eli Hini