search

silkimen / cordova-plugin-advanced-http

Cordova / Phonegap plugin for communicating with HTTP servers. Allows for SSL pinning!
MIT License
391 stars 313 forks source link

Android & iOS Certificate Pinning #524

Open benjamin-luescher opened 3 months ago

benjamin-luescher commented 3 months ago

Android and iOS have a very simple setup for certificate pinning as described here:

I would like to use this setup to only enable certificate pinning for certain domains. See network_security_config.xml below:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <base-config cleartextTrafficPermitted="false"/>
  <domain-config>
    <domain includeSubdomains="true">mydomain.com</domain>
    <pin-set expiration="2024-04-27">
      <!-- my certificate hash -->
      <pin digest="SHA-256">................</pin>
      <!-- my certificate backup hash -->
      <pin digest="SHA-256">................</pin>
    </pin-set>
  </domain-config>
</network-security-config>

With this setup I do only want to have a certificate pinning for "mydomain.com". In your setup I found a certificate pinning which requires all certificates of every domain that is called from the app. A setup like above doesn't work, right? In a first step I also tried to have this XML additionally to this plugin - but it seems like this plugin overrides my XML and doesn't care about my settings.

Any help? Thanks a lot!