SSL Pinning (Beta)
SSL-based security can be compromised if the root certificate on the user's device is compromised. To prevent data leaks in such cases, SSL pinning is employed. You can find more details in the case explained here.
In SSL pinning, the hash of the SSL public key is included in the mobile app. When making a call (such as XMLHttpRequest) to a remote server, the hash of the server's public key is verified against the hashes stored in the mobile app. Only if the hash is present, the call is allowed to proceed. In WaveMaker, SSL pinning is implemented using the React Native plugin called react-native-ssl-public-key-pinning.
Setup
- Open Export React Native Dialog and navigate to the SSL Pinning section.
- Enable SSL Pinning, as shown below.
- Identify the domains that your app will access.
- Include the hashes of the public keys for all the identified domains.
- Save and Build.
How to get Hash of SSL Public Key from URL
- Install OpenSSL.
- Execute the following command. Replace DOMAIN_NAME with your target domain.
openssl s_client -connect DOMAIN_NAME:443 |\
openssl x509 -pubkey -noout |\
openssl pkey -pubin -outform der |\
openssl dgst -sha256 -binary |\
openssl enc -base64
- Hash will be at the end of the output and is highlighted in yellow color.
Following is the command for www.wavemaker.com as reference.
Caution
In situations where the SSL public key expires and a new SSL certificate is deployed on the server, the SSL pinning mechanism can block all app-to-server calls since the new certificate doesn't match the one stored in the app. Consequently, the app becomes non-functional. To mitigate this issue, it is recommended to have multiple backup keys available.
For more detailed information on this topic, please refer to this document authored by the Trust Kit library, which is internally utilized by WaveMaker.