[Bug] SSL pinning is not working for both iOS and Android

[takhil]

Describe the bug We are getting an exception on both iOS and Android with our new certificate on the server. We checked the SSL-Certificate, everything looks fine, no errors. we tried adding default and trusted both case facing issue.

FYI certificate pinning use to work one year back but because of our certificates we disabled it now after update the certs to certificates folder not respecting the certs and we checked the www folder it has the certificates in platform folder

Anyone experiencing the same problem?

System info

• affected HTTP plugin version: [3.3.1]
• affected platform(s) and version(s): [iOS and Android]
• cordova version: Cordova CLI : 11.0.0 (cordova-lib@11.1.0)
• cordova platform version(s): [iOS 7.0.0 Android 12.0.0]
• Angular 14.0.0

Are you using ionic-native-wrapper?

• ionic-native-wrapper version: yes [6.4.0] '@awesome-cordova-plugins/http/ngx';
• did you check ionic-native issue tracker for your problem? yes

Minimum viable code to reproduce

e.g.:

     import { HTTP, HTTPResponse } from '@awesome-cordova-plugins/http/ngx';
     private http: HTTP,
     this.http.setServerTrustMode('pinned');

Screenshots If applicable, add screenshots to help explain your problem.

Reference https://dzone.com/refcardz/securing-mobile-applications-with-cert-pinning

[TiBz0u]

Hi @takhil, First, can you confirm thoses questions :

• You are using Cordova / not Capacitor?
• Is the certificate well a DER certificate (binary)? openssl x509 -inform der -in CERTIFICATE.cer -text -noout must succeed
• Extension is well .cer ?
• Your certificate is added through hook into www/certificates and you can find it in your final native platform (Android or iOS)

If yes ; What error do you have? -2? On both platform ? Is your certificate self-signed? I remember having an issue with this kind of certificate.

EDIT: I suppose that you inject correctly http service in your angular component and that the setServerTrustMode() returns success.

Kr.

[takhil]

Hi @TiBz0u ,

Thanks for the response and I see error -2 from mobile app when I tried inject the serverTrustMode() and I checked the certificate with the command and certificate looks good.

Can you think of anything else?

[TiBz0u]

Hi @takhil,

The serverTrustMode() method gives you only a success normally. It has to be done when your app starts. After that, if you respect what I explain above, it has to work.

Please double check the extension (.cer needed) and the format (must be DER et not PEM [base64]).

Otherwise, can you provide a public repository to check your configuration?

If you use a VPN, please make sure with the IT that the VPN doesn't encapsulate everything, it can be a problem too.

Kr.