Hello CT Policy Team,
I am writing on behalf of the mobile engineering team at Abu Dhabi Commercial Bank (ADCB), UAE. We experienced a production outage on 10th June affecting our corporate banking mobile application (iOS and Android) that we believe was related to a Certificate Transparency policy or log trust change.
We would appreciate your help in understanding what may have occurred.
---
ISSUE SUMMARY
On 10th June, starting approximately 2:30PM GST, our mobile application began failing SSL connections to our API endpoints (apicentral.adcb.com). The application was using the @bam.tech/react-native-app-security library (v0.5.5) which enforces Certificate Transparency validation as part of its SSL pinning implementation.
The failure appeared to affect all users across both iOS and Android platforms simultaneously. No changes were made to our server certificates, infrastructure, or application code on that date.
By approximately 7:30 PM GST the same evening, connections began succeeding again without any intervention on our end.
---
OUR INVESTIGATION SO FAR
We have reviewed our certificate on crt.sh and SSLLabs and confirmed:
- Our certificate has valid SCTs embedded
- The certificate was not reissued on the date of the outage
- The certificate chain appears intact
Given that the failure was spontaneous, affected all users simultaneously, and self-resolved without any action on our part, we suspect the root cause may be one of the following:
- A CT log that our certificate's SCTs reference was temporarily marked as non-compliant or disqualified
- A change in the trusted log list that was subsequently reverted
- A propagation or availability issue with a CT log server itself
---
OUR QUESTIONS
1. Was any CT log status change (disqualification, temporary suspension, or trust list update) made on 10th June that was later reverted?
2. Is there a public changelog or incident log for CT log trust decisions that we can monitor going forward to get advance notice of such changes?
3. Is there a recommended way for application developers to be notified when a CT log their certificates rely on is at risk of disqualification?
---
We have since replaced the third-party library with a self-managed SSL pinning implementation to remove the CT enforcement dependency. However, for the purposes of our internal Root Cause Analysis and to prevent future incidents, understanding the exact trigger would be extremely valuable.
Any guidance or information you are able to share would be greatly appreciated.
Thank you for your time and for the important work the CT Policy team does in maintaining the integrity of the web PKI ecosystem.
Best regards,
Aditya
Anything in this email which commits or purports to commit Abu Dhabi Commercial Bank PJSC and its subsidiaries, jointly referred as ADCB Group, to lend, to extend or renew credit facilities or other forms of financial facilities, to confirm credit terms, to waive or delay rights, to grant any consent, or to take or refrain from taking any other action in relation to lending, credit, or financial facilities, shall not be binding unless (a) such matter has been previously approved by the appropriate internal committee or individual holding approving authority in relation to such matter and (b) the email states that such approval has been granted. ADCB Group provides investment services governed by respective Terms and Conditions which are not binding unless agreed in writing. The information transmitted and available in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged information/material. Any review, retransmission, dissemination or other unauthorized use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is strictly prohibited and unlawful. If you have received this in error, please delete the message and/or material immediately and contact ADCB PJSC as below for appropriate action or liaise directly with relevant subsidiary. Abu Dhabi Commercial Bank, PO Box, 2800 Abu Dhabi, email address: cont...@adcb.com Tel: 600 50 2030 within the UAE: +971 26210090 from outside the UAE Fax: +971 26109700.