1.6 Enabling SSL pinning in the application

This topic describes the systematic instruction to Enabling SSL pinning in the application option.

SSL pinning is required to securely connect with a https bank server URL to mitigate Man-in-middle-attack. It is recommended to enable this in production. By default, SSL pinning is set to NO in the application for development purpose so that the application can connect to https URLs without SSL Pinning checks.

Note: OS by default checks for a valid SSL trusted certificate using App Transport Security (ATS). Hence, the server should have a valid certificate chain and adhere to ATS requirements. SSL pinning is additional security measure as per security standards.

  1. To enable SSL pinning, bank needs to follow the configurations mentioned in the section: Configurations for the IOS application.
  2. The SSL certificate needs to be added in the workspace. To download and add this certificate, follow below steps:
    • Open bank’s https website in Safari on Mac machine
    • The website will display a lock icon in the address bar next to the URL.
    • Click on that lock icon. It will display a window as below:
      Description of mnios51.png follows
      Description of the illustration mnios51.png

    • Click on Show certificate and below window will be displayed
      Description of mnios52.png follows
      Description of the illustration mnios52.png

    • Press and drag the certificate icon from Safari to any location on your machine.
    • Rename it to any certificate.cer
    • Copy-paste the certificate inside IOS workspace at this location

      /service/workspace_installer/zigbank/platforms/ios/ZigBank/

    • Right Click on Resources folder and select “Add Files to Zigbank”
    • Select the certificate file which is saved in above step.
    • Select ZigBank target
      Description of mnios53.png follows
      Description of the illustration mnios53.png

    • The certificate will be added in the Resources folder.
    • Copy the name and add it in the app.plist against @@PINNING_CERTIFICATE_OLD_1 for PinnedCertificateName as shown below. Refer configuration section for this key information.

      Note:

      Since this is an array, bank can add multiple certificates for @@PINNING_CERTIFICATE_OLD_1, @@PINNING_CERTIFICATE_OLD_2. Order doesn’t matter..

      Also, since SSL certificate are renewed after the expiry @@PINNING_CERTIFICATE_NEW_1 and @@PINNING_CERTIFICATE_NEW_2 options are provided.


      Description of mnios54.png follows
      Description of the illustration mnios54.png

      These are the corresponding new certificate names which can be added by the bank when the old certificates are about to expire and release this version of application to Appstore before the old certificate expires. This will allow that the application continues to work with SSL pinning even after old certificate has expired. Same activity bank can continue to do for every year before old certificate expires.

    • To add the new certificates in workspace, bank must follow same steps as mentioned above
    • After the certificates are configured, next step is to set ‘PinnedUrl’ key in the app.plist. Refer configuration section for this key information. Add the https URL against which the certificates are to be verified. If there are multiple site certificates added, then bank must set all those URLs in each item as below:
      Description of mnios55.png follows
      Description of the illustration mnios55.png

Parent topic: OBDX Servicing Application