Does PhoneGap check SSL server Certificates

[Nicolaus]

Hello,

Does PhoneGap  check SSL Certificates from the server to determine whether it talks with the right server?

Nicolaus

[jcesarmobile]

No, you have to do that yourself

You have this plugin
https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin

But it checks that the connection is right just when you check with the plugin, the propper way should be a plugin that do a get or post to the server checking the certificates at the same time.

[jw123]

Well, just to be clear -- it checks them the same way your phone's web browser checks them, using the device's trusted certificate list. It doesn't check them against a specific list of certificates embedded in the app, which the plugin below does.

[Nicolaus]

PhoneGap  on iOS8 doesn't check SSL Certificates from the server at all in case of a https/SSL connection. For Android there is a debug flag: android:debuggable="true" when this is used there is no check. But this not what I want. On iOS is there also something like a debug flag to swicht the certificate check off? 

Or is there something else why PhoneGap is not checkking the SSL certificates?

Op donderdag 3 april 2014 14:58:11 UTC+2 schreef Nicolaus:

[jcesarmobile]

None of them check the certificates, de debuggable="true" on android just ignores bad or selfsigned certificates

On iOS you can ignore certificates adding this at the end of the AppDelegate.m

@implementation NSURLRequest(DataController)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    return YES;
}
@end

but remove it before submitting the app to the apple store, they could reject the app

[Kerri Shotts]

These plugins might be useful:

* https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin

* http://plugins.telerik.com/cordova/plugin/secure-http

[Nicolaus]

Thx Kerri,

The links you posted is about SSL-certificate Pinning. But I'm looking for something else. Standard browsers like Chrome FireFox on laptops hav a list of about 200 trusted Certificate Autorities (CA). These list is installed and maintianed by installations/updates of the browser. (Certificate Pinning is 1 security level higher/better.) 

My questions:

1. Has Phonegap like Chrome a list with trusted Certificate Autorities?
   
2. Is the standard way of working that Phonegap  does check whether the SSL certificate it receives of the SSL-server is published by one of the CAs in its list? 
3. If 2 is yes, does Phonegap raise an error  when the certificate is not published by one of the CAs in its list?

  
Op donderdag 3 april 2014 14:58:11 UTC+2 schreef Nicolaus:

Hello,

[jcesarmobile]

Cordova allows connection if the web certificate is on the trusted certificates list you can find on Settings app -> Security -> Trusted certificates

[Nicolaus]

Hi,

Is it possible that there is a problem and PhoneGap doesn't check this?

 see the message:

 https://groups.google.com/forum/#!searchin/phonegap/SSL$20Certificate$20Checker$20/phonegap/WA_jEoaKSJY/QfIu7EIFnfUJ

Op maandag 11 mei 2015 10:53:34 UTC+2 schreef jcesarmobile:

[jcesarmobile]

The android webview can communicate with the server using SSL if the server certificate is signed by one of the ROOT CAs installed on the device, but it doesn't check that you talk with the right server.

If you want to make sure you are talking to your server, then use the SSL pinning plugin, where you can see if the certificate fingerprint is the fingerprint you expect to be.

Phonegap/cordova don't check anything, the connection is handled by android webview, so the OS handles the connection

[Nicolaus]

I agree that pinning is more secure. I'm working with iOS, but I suppose your statements for Android does also apply for iOS?

Does the OS check whether the certificate has been signed by one of the ROOT CAs installed on the device,? If yes, do I get an error code in my PhoneGap App when the certificate has not been signed by one of the ROOT CAs?

Op maandag 11 mei 2015 14:55:27 UTC+2 schreef jcesarmobile:

[jcesarmobile]

Yes, iOS has ROOT CAs installed and won't let you connect if the server certificate isn't signed by one of them.

You'll see this error or somethin like that on the console
NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

[Nicolaus]

Our Security department did a "man in the middle" attack and notice that sending a not signed certificate (by CAs) is accepted by the iPad and our PhoneGap App does start and makes connection and communicates with the "man in the middle". The same attack using a Safari browser in stead of our PhoneGap App results in an error and no connection. What can be the issue?

  

Op maandag 11 mei 2015 18:55:52 UTC+2 schreef jcesarmobile:

[jcesarmobile]

Can you explain what do you mean by

"that sending a not signed certificate (by CAs) is accepted by the iPad"

Did you add this to the AppDelegate.m?
@implementation NSURLRequest(DataController)
+ (BOOL)

allowsAnyHTTPSCertificateForHost:(NSString *)host
{
    return YES;
}
@end

If you did, remove it, that code if for ignoring certificate checks

[Nicolaus]

No I didn't add this code.

Op dinsdag 12 mei 2015 14:12:51 UTC+2 schreef jcesarmobile:

[jcesarmobile]

Can you explain what do you mean by
"that sending a not signed certificate (by CAs) is accepted by the iPad"

[Kerri Shotts]

Are you using any plugins? There are some plugins that can disable the certificate checking.

I'm assuming your MITM attack used a certificate that wasn't self-signed, and used a CA that wasn't installed on the device? This should have failed in normal circumstances. Even so, this is no guarantee of security -- what if the MITM attack happens to use a certificate with a CA that /is/ installed on the device -- that would pass. Certificate pinning / fingerprint checking is your only option to have any assurance that you're talking to the right server. (And of course, there are ways around that as well... sigh, security is ///hard///).

When testing this, are you building debug or release? To the best of my knowledge, iOS doesn't care, but Android sure makes some differentiation here (debug builds don't care nearly as much about validating this stuff as do release builds). Even though I don't think iOS cares, it'd be worth verifying.

Did your security guy also try self-signed certs with a MITM attack? Did those fail?

[Diones A]

Is it possible buying a valid certificate?

You can find SSL signed certificate on GoDaddy for just AUD5,99/year -> http://tiny.cc/hcg1xx 

[Steve Sobol - Lobos Studios]

Ssls.com is US$14.97 for a Comodo domain-validated certificate that is good for three years. Under $5/year.

-- 
Lobos Studios - Website and Mobile App Design & Development; IT Support; Computer Maintenance
Toll Free  877.919.4WEB - Apple Valley 760.684.8859 - Los Angeles 310.945.2410 - Cleveland 216.242.4010
www.LobosStudios.com * www.facebook.com/LobosStudios * @LobosStudios

--
-- You received this message because you are subscribed to the Google
Groups "phonegap" group.
To post to this group, send email to phon...@googlegroups.com
To unsubscribe from this group, send email to
phonegap+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/phonegap?hl=en?hl=en
 
For more info on PhoneGap or to download the code go to www.phonegap.com
---
You received this message because you are subscribed to the Google Groups "phonegap" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phonegap+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nicolaus]

Added a Proxy (Burp Suite) to theWifi Connection and. Burp generates its own CA certificate (Self Signed) but this is not detected by iOS/Cordova/PhoneGap.

Op dinsdag 12 mei 2015 19:45:21 UTC+2 schreef jcesarmobile:

[Nicolaus]

Securtiy guys did use Burp Suite Pro to generate a self signed certificate, which was accepted without warning by iOS /Cordova/PhoneGap.

Op woensdag 13 mei 2015 00:09:01 UTC+2 schreef Kerri Shotts:

[Nicolaus]

A certificate signed by a CA which is not in the 'list of trusted CAs" on iOS has been used.

It shouldn't be easy to get a certificate of a trstued CA with an identity (URL or something) that is not yours? 

Op woensdag 13 mei 2015 00:09:01 UTC+2 schreef Kerri Shotts:

Are you using any plugins? There are some plugins that can disable the certificate checking.

[Kerri Shotts]

Well, one shouldn't assume that because I have a trusted cert that my identity has been verified. What if a CA is hacked? But even so, I can get a certificate for nothing (to next-to-nothing) that doesn't impose very strict validation requirements (beyond owning a domain / email). If you assume that trusted certs are safe, I can easily MITM you with that cert, because the CA is trusted. This is why you need to check if the cert from the server is the one you really expect, because MITMs can be done with trusted certs.

Regardless, why your untrusted cert has been accepted is the issue here -- and that's not normal. Do you have any plugins installed, and if so, which ones? Have you tried building release vs debug? As I said before, I don't think it matters on iOS, but if you've been doing debug thus far, try it in release mode. Also, just for sake of completeness, how are you building / testing your app? Locally? PG Build? Phonegap developer app?