SSL pinning
Charles C.
All current SSL pinning methods I know of require native code, and it is becoming increasingly necessary for pinned certs on deployed applications.
I think this would be an absolutely huge boon that would bring expo's react native approach further into the mainstream.
Reading resource:
Excerpt for context
/////
What Is Pinning?
Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. If more than one certificate or public key is acceptable, then the program holds a pinset (taking from Jon Larimer and Kenny Root Google I/O talk). In this case, the advertised identity must match one of the elements in the pinset.
A host or service's certificate or public key can be added to an application at development time, or it can be added upon first encountering the certificate or public key. The former - adding at development time - is preferred since preloading the certificate or public key out of band usually means the attacker cannot taint the pin. If the certificate or public key is added upon first encounter, you will be using key continuity. Key continuity can fail if the attacker has a privileged position during the first encounter.
Pinning leverages knowledge of the pre-existing relationship between the user and an organization or service to help make better security related decisions. Because you already have information on the server or service, you don't need to rely on generalized mechanisms meant to solve the key distribution problem. That is, you don't need to turn to DNS for name/address mappings or CAs for bindings and status. One exception is revocation and it is discussed below in Pinning Gaps.
It is also worth mention that Pinning is not Stapling. Stapling sends both the certificate and OCSP responder information in the same request to avoid the additional fetches the client should perform during path validations.
When Do You Pin?
You should pin anytime you want to be relatively certain of the remote host's identity or when operating in a hostile environment. Since one or both are almost always true, you should probably pin all the time.
A perfect case in point: during the two weeks or so of preparation for the presentation and cheat sheet, we've observed three relevant and related failures. First was Nokia/Opera willfully breaking the secure channel; second was DigiCert issuing a code signing certificate for malware; and third was Bit9's loss of its root signing key. The environment is not only hostile, it's toxic.
/////
O
O.o
Any updates ?
Frederick Widjaja
I've made a library to make SSL pinning using public keys much simpler and more secure on React Native. No native configuration (e.g. bundling certs, native code) will be needed, and there is also no need to convert existing network request code to enable pinning after installing the library. You can check it out at
It's compatible with the Expo managed workflow, although you won't be able to perform SSL pinning when using Expo Go.
Also, since all of the pinning configuration is done through the JS API, this opens up the possibility of using OTA updates (e.g. through expo-updates) to keep the public key hashes up to date and prevent your users from getting locked out of your site. Do check it out!
R
R.M.
Frederick Widjaja: Hi, what would be the differences between you library and this one (https://github.com/MaxToyberman/react-native-ssl-pinning)? Thank you
Frederick Widjaja
R.M.: I would say the main differences are that you don't have to copy over certificates to your native app bundle (makes it easier for Expo users to set up), and there is no need to use a custom fetch function to make network requests (which means compatibility with existing 3rd-party libraries like axios).
Ioana Buliga
Frederick Widjaja: hey, is it necessary to run npx expo prebuild (in a managed expo app) ? I am a bit confused about this command since it does not say in the docs that we should modify those generated android/ios files
Frederick Widjaja
Ioana Buliga: No modification of the generated android/ios files are necessary as the package will automatically be picked up and included in your build, but you will need to create a development build to test out the pinning as Expo Go won't have this library included. The instruction to run prebuild is if you're building locally (https://docs.expo.dev/develop/development-builds/development-workflows/#build-locally-with-android-studio-and-xcode), but if you're using EAS to create a development build (https://docs.expo.dev/develop/development-builds/create-a-build/) it shouldn't be necessary.
Hope that clears it up!
Ioana Buliga
Frederick Widjaja: does that mean that we will not be able to use Expo Go anymore ?
Frederick Widjaja
Ioana Buliga: You can still use Expo Go for development, but you'll need to make sure that the SSL pinning library is available using isSslPinningAvailable before calling initializeSslPinning (https://github.com/frw/react-native-ssl-public-key-pinning#api-reference). Otherwise there'll be an exception due to the library not being found in Expo Go.
Ioana Buliga
Frederick Widjaja: I see, thank you very very much for your answer. Have a great day! :) ^^
Ioana Buliga
Frederick Widjaja: Hello again 🫣 So the library is amazing, very easy to use and set up. I only have one more question, because I don't really understand how it works "under the hood". Does this library block API requests by default or will I have to handle that ?
Frederick Widjaja
Ioana Buliga: It will block API requests by default if it detects that the SSL certificate provided the server does not match your domain pinning configuration. Check out the FAQ section https://github.com/frw/react-native-ssl-public-key-pinning#check-setup regarding providing the wrong hashes to test that everything is set up correctly. Hope it helps!
Also, feel free to open up a discussion topic on https://github.com/frw/react-native-ssl-public-key-pinning/discussions if you're still having problems as here is probably not the best place to discuss :)
Jean Baro
Any update on this? Please
Sergey Pravosud
Hi guys! Any updates here? It would be useful feature.
Jean Baro
Sergey Pravosud: This is an important feature for bank and financial apps.
Pratik Sanyaja
Guys, do we have any blog or article with proper detail for this?
Amar Panigrahy
We love the Expo Framework, any updates on when the expo would have this feature without doing eject?
Marcus Pamp
Any updates regarding certificate pinning?
silentsurfer
Should be possible to set up certificate pinning while remaining in the managed flow (though no more Expo Go) by following the approach outlined here: https://stackoverflow.com/a/70775576/4350421
Henrique Bruno Fantauzzi de Almeida
Any EAS solution?
Michael Wood
Henrique Bruno Fantauzzi de Almeida: https://forums.expo.dev/t/react-native-expo-ssl-pinning/57455/5?u=wodin
Henrique Bruno Fantauzzi de Almeida
Hi, Michael Wood! I am aware of this link, I even linked it on my GitHub issue. As said on the issue, I don't have a way to use XCode, nor a minimum knowledge with config-plugins.
But, I ain't sure yet if ssl-pinning would help in my issue:
I am using a payment gateway that requires my client to have SSL certificate. I am using WebView, and it has a <script/> field using as source url the Gateway .js code, so I can tokenize the user credit card and then it's sent to my server to make the transaction.
Do you know if it's possible to have a SSL in the local WebView? Or do I need to like host the HTML in a Firebase Hosting for example, and then use the URL as source to my WebView?
I've been searching for this for some days and I can't find a good reference about it :/
Edit: Maybe it would be possible to use Cloud Functions directly to "host" the content for my needs? https://firebase.google.com/docs/hosting/functions I already am using CF, and not having to deal with Firebase Hosting would be better.
Tony Mann
This forum topic is closed. The solution was described, but the actual config plugin code was not provided. Does anyone have code they could post?
JoeG
Hi - love your work on ExpoGo! Has there been any update on using SSL Pinning without ejecting? even a way of providing cert hashes to a new expo API that could be used on native layer with available SSL pinning methods - thanks a bunch!
Load More
→