When I starting Packet Capture TLS is not established (so no data find in Packet Capture). When I Packet Capture doesn’t running traffic is working fine (GREAT)
The pinned methode is working “fine” the problem is if my certificat will be renewal , I always have to update my CER file in my app, and this is the problem. I’m not able to find the solution by myself.
I talked to the support of my host, and I can’t see the details in there certbot (for the --reuse-key option link).
Can anyone give me tips for a encrypted traffic, that prevent man in the middle attack in a cordova app? Thanks !
in our App we implement this exactly like you. Of course you have to renew the Certificate after a few years. That’s normal. We solved it by creating a REST endpoint which returns the min Version that is required to work with the current Backend:
This Values van be changed in our admin console, so when a new certificate is needed, build a new app version with it and update the minVersion in Database.
When you implement like this, you first have to check the min version on app start up and then, if successfully, enable SSL-Pinning, the way you do.
I think you can also test Code Push, as the Certificate only has to be in the /www* Folder. With this Plugin you can perform an In-App-Update. You can test to change the certificate within the Update too.
I would like to back up a moment. I get that certificate pinning deals with the problems of rogue CAs, but LetsEncrypt isn’t a rogue CA. Why can’t you just use ordinary Angular HttpClient here?
Here’s where things start to get weird and/or ironic, because:
…which on the documentation page you linked says:
SSL decryption using man-in-the-middle technique
So you’ve deliberately injected a MitM into your connection. It’s no wonder that:
…but I’m not clear on how that indicates that:
…because it looks to me like Packet Capture is decrypting it. Any blackhat sitting between your device and the backend should see encrypted traffic. Try running Wireshark or something similar upstream to check.
Now, if your definition of “MitM” includes stuff that the owner of the device running your app is deliberately doing, I’m going to argue that that’s an overly broad and therefore not very useful definition. There is absolutely nothing you can do to prevent somebody with a copy of your app binary sniffing data that they are sending from your app. They could always run your app on an emulator or rooted device.