Ionic 3 implement SSL Pinning


#1

In my application, I am using HttpClient for making a service call. During the security testing, I am requested to implement the SSL Pinning. I got the information and put the certificate on the www/certificate folder too. But have a doubt about

if I implement the code in app.component.ts only enough or all service calling place should I implement

 try {
     cordova.plugin.http.enableSSLPinning(false, function () {
       console.log('success!');
     }, function () {
       console.log('error :(');
     });
   } catch (error) {
     console.log('error :(' + error);
   }

2> How I can test this sercario?


#2

Where does this come from?

What scenario exactly? If SSL pinning works?


#3

I al so need this. I have implemented in constrator. Please advice me where should I place this code?


#4

No, as same as before I have no idea what this code is and where it comes from.


#5

It makes no sense to wrap an async call in try catch unless you’re using async/await. Besides that what you have should work if you are running it on app startup (like in app.component.ts constructor platform.ready call). Make sure you don’t do any startup http calls before doing this though.

Also you can no longer use httpClient, you instead need to use the http native plugin to make your calls now, that’s kind of the whole point of what you’re doing. Only native code can use certificate pinning, so you have to use that.

As far as testing, just set up a proxy and your http calls should fail. This one is generally recommended: https://mitmproxy.org/


#6

I followed this URLhttps://github.com/silkimen/cordova-plugin-advanced-http


#7

Thanks for the response. So I want to make service call

cordova.plugin.http.enableSSLPinning(false, function () {
console.log(‘success!’);
//Call My seb service call, //getDashboardService()
}, function () {
console.log(‘error :(’);
});
} catch (error) {
console.log(‘error :(’ + error);
}

is it like that? I am bit confused about enabling this SSL pinning? Please guide me


#8

…what?

Inside platform.ready in app constructor:

import { HTTP } from '@ionic-native/http';

constructor(private http: HTTP) {
  platform.ready().then(() => {
    // ...whatever else is in your app.component
    return http.enableSSLPinning(true);
  })
  .catch(console.log);
}

In whatever service you might need anywhere:

import { HTTP } from '@ionic-native/http';

constructor(private http: HTTP) {}

gotGetWhateverData() {
  return this.http.get('www.something.com/data');
}

And, as I said, be sure no http calls happen before you enable the pinning.


#9

Thanks for your support. I will try this