cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tommy-Carlos Williams <>
Subject Re: Adding SSL Certificate Pinning to Cordova
Date Mon, 13 Jan 2014 21:42:59 GMT
It’s not just for self-signed certs either.

Google Chrome already does a variation of this (hardcoded) for Google’s certs.

I envisage developers being able to pin the certs for their own servers, but even for services
they use over SSL like and other BaaS provides.

The reason I am proposing the SHA1 fingerprint over the .cer file is that it’s easier to
get the fingerprint and include a string in a config.xml directive than it is to include a
.cer file. The easier it is to use, the more likely devs will use it.

- tommy

On 14 Jan 2014, at 8:16 am, Andrew Grieve <> wrote:

> I think the proposal is to include a white-list of self-signed certs
> within apps (or is it to use *only* the whitelist and reject otherwise
> valid certs?).
> I think it'd be great to have this feature. It's certainly been asked
> for several times.
> The referenced plugin certainly is a good reference to how to get at
> the certificates. I don't know whether use the SHA1 of the public
> certificate, or just a .cer file is easier, but I think they are both
> easy-enough and I don't believe you lose any security by using a SHA1.
> So, this all sounds great to me!
> On Mon, Jan 13, 2014 at 2:29 PM, Brian LeRoux <> wrote:
>> So, sort of like CRSF tokens except the other way around. ???
>> I might be misunderstanding but would it not be better to treat the server
>> as trusted and the client generally as untrusted. Given there is no cross
>> platform key stores the certs are effectively plaintext (but I could be
>> misunderstanding the impl).
>> On Sun, Jan 12, 2014 at 3:21 AM, Tommy-Carlos Williams
>> <>wrote:
>>> TL;DR: I am proposing to add certificate pinning at least to iOS and
>>> Android, and help on any implementations for other platforms in any way I
>>> can.
>>> (Longer version)
>>> There is an existing issue for certificate pinning [1] from back in May of
>>> 2013 and it's something that I need for all of our apps and even any I
>>> might make for myself in the future.
>>> The last year or two have seen a pretty serious rise in both actual
>>> exploits and awareness around the topic of security. There was an article
>>> tweeted around recently about someone auditing mobile bank apps and found
>>> that "40% of the audited apps did not validate the authenticity of SSL
>>> certificates presented. This makes them susceptible to Man in The Middle
>>> (MiTM) attacks" [2].
>>> If certificate pinning is something good, and we can make it easy to
>>> implement, surely that would be a good thing? The whitelist is all well and
>>> good, but most people are probably leaving the default "*" and even if they
>>> didn't, it wouldn't protect them from MitM attacks.
>>> There *is* an existing plugin that attempts to do this for Cordova /
>>> PhoneGap [3][4], but it has a pretty massive and fairly obvious flaw. It
>>> simply checks the certificate then reports back in its callback. At first
>>> this might seem OK, but as someone pointed out in an issue [5], an attacker
>>> "could wait until the server is validated before adding the MITM server,
>>> circumventing the security check". I am no security expert, so if I could
>>> think of a way to get around this, then it's not very secure.
>>> What I am proposing, is adding certificate pinning to Cordova itself so
>>> that the *actual* requests are checked (much like the whitelist). Not some
>>> initial request, or having to try and do two requests for every request
>>> (still leaving open the hole I spoke of above).
>>> I am looking for buy-in from the list, but I am also interested in
>>> discussion on the best way to do it (and test it).
>>> My initial proposal is to use SHA1 fingerprints (much like Eddy's plugin
>>> above [6]) as opposed to trying to get devs to embed an entire cert file in
>>> their app. The easier it is to use the more likely people are to use it. If
>>> they can get the fingerprint from any site they want to safely access by
>>> simply using Chrome/Safari/etc, or a basic cli command, that would be best.
>>> I envisage devs being able to even pin the certs for third party services
>>> like Parse etc.
>>> A simple config.xml directive with key/value pairs of any
>>> hosts/fingerprints should be all a dev needs to use this feature.
>>> - tommy
>>> 1.
>>> 2.
>>> 3.
>>> 4.
>>> 5.
>>> 6.

View raw message