Ionic 3 implement SSL Pinning

ncssgmc · March 26, 2018, 5:40am

In my application, I am using HttpClient for making a service call. During the security testing, I am requested to implement the SSL Pinning. I got the information and put the certificate on the www/certificate folder too. But have a doubt about

if I implement the code in app.component.ts only enough or all service calling place should I implement

 try {
     cordova.plugin.http.enableSSLPinning(false, function () {
       console.log('success!');
     }, function () {
       console.log('error :(');
     });
   } catch (error) {
     console.log('error :(' + error);
   }

2> How I can test this sercario?

Sujan12 · March 26, 2018, 1:43pm

Where does this come from?

What scenario exactly? If SSL pinning works?

piraba · March 26, 2018, 1:50pm

I al so need this. I have implemented in constrator. Please advice me where should I place this code?

Sujan12 · March 26, 2018, 1:57pm

No, as same as before I have no idea what this code is and where it comes from.

rlouie · March 26, 2018, 2:11pm

It makes no sense to wrap an async call in try catch unless you’re using async/await. Besides that what you have should work if you are running it on app startup (like in app.component.ts constructor platform.ready call). Make sure you don’t do any startup http calls before doing this though.

Also you can no longer use httpClient, you instead need to use the http native plugin to make your calls now, that’s kind of the whole point of what you’re doing. Only native code can use certificate pinning, so you have to use that.

As far as testing, just set up a proxy and your http calls should fail. This one is generally recommended: https://mitmproxy.org/

ncssgmc · March 26, 2018, 2:28pm

I followed this URLhttps://github.com/silkimen/cordova-plugin-advanced-http

ncssgmc · March 26, 2018, 2:49pm

Thanks for the response. So I want to make service call

cordova.plugin.http.enableSSLPinning(false, function () {
console.log(‘success!’);
//Call My seb service call, //getDashboardService()
}, function () {
console.log(‘error :(’);
});
} catch (error) {
console.log(‘error :(’ + error);
}

is it like that? I am bit confused about enabling this SSL pinning? Please guide me

rlouie · March 26, 2018, 2:58pm

…what?

Inside platform.ready in app constructor:

import { HTTP } from '@ionic-native/http';

constructor(private http: HTTP) {
  platform.ready().then(() => {
    // ...whatever else is in your app.component
    return http.enableSSLPinning(true);
  })
  .catch(console.log);
}

In whatever service you might need anywhere:

import { HTTP } from '@ionic-native/http';

constructor(private http: HTTP) {}

gotGetWhateverData() {
  return this.http.get('www.something.com/data');
}

And, as I said, be sure no http calls happen before you enable the pinning.

ncssgmc · March 26, 2018, 3:40pm

Thanks for your support. I will try this