Uw betrouwbare partner voor (mobiele) web applicaties
TwitterEmailRSS

Certificate Pinning Plugin for PhoneGap to prevent Man in the Middle Attacks

A while ago my colleagues and I were working on a PhoneGap app which required a high level of security. Among other measures, we implemented certificate pinning to prevent Man in the Middle attacks. In this blog I’ll tell you what we’ve done and give you a link to a certificate pinning PhoneGap plugin I recently wrote.

Man in the Middle attackman-in-the-middle-attack

Ofcourse you have secured communication with an SSL certificate on the server. With a desktop browser, you will normally see the green certificate bar next to the URL. In a mobile app however, there is no such bar, so you won’t notice when it suddenly turns red because an attacker is impersonating the server with a self signed certificate. This may happen when f.i. you use the app via a compromised public WiFi hotspot. The attacker intercepts all traffic without the user noticing it.

Certificate pinning

A good way to make sure your app connects directly to your server, is by checking the fingerprint of the SSL certificate. In our app we implemented this purely in native code for iOS and Android and it works great; intercepting traffic via a proxy is no longer possible. (Note that we also encrypt the data itself, just in case this solution gets compromised.)

Native iOS and Android implementation

So what the code needs to do is fetch the certificate from the endpoint the app connects to and compare its fingerprint to a list of fingerprints your app allows to connect to. In Java, it looks a bit like this (simplified):

boolean isConnectionSecure(url, expectedFingerprint) {
  return expectedFingerprint.equals(getFingerprint(url));
}

String getFingerprint(String httpsURL) {
  HttpsURLConnection cnx = (HttpsURLConnection) new URL(httpsURL).openConnection();
  Certificate cert = cnx.getServerCertificate();
  MessageDigest md = MessageDigest.getInstance("SHA1");
  md.update(cert.getEncoded());
  return getHex(md.digest());
}

PhoneGap plugin

I’ve wanted to enable fellow PhoneGap developers to use this feature via a plugin and finally took the time to create the plugin. With the plugin, developers can create a Javascript call like this one to verify the connection with the server:

var server = "https://build.phonegap.com";
var fingerprint = "8F A5 FC 33 20 2D 45 B4 EC 95 87 F0 50 F0 18 14 DF 98 50 64"; // valid until sep 2014

window.plugins.sslCertificateChecker.check(
          successCallback,
          errorCallback,
          server,
          fingerprint);

Once the successCallback is invoked, you can be pretty sure there is no Man in the Middle attack going on.

The SSLCertificateChecker plugin can be found here, on Github.

What about PhoneGap Build?

PhoneGap Build is fully supported by the plugin.

Oh, and if you are using PhoneGap Build, I highly recommend our Buildmeister app, which will make your development cycle a bit shorter:

Android app on Google Play

Buildmeister - X-Services

Sign an Android debug-APK for release in Play

“Video’s don’t play and the app is slow”

Game TV
That’s the feedback I got a day after publishing a new version of Game TV to the Google Play store. I thoroughly tested the debug version of the app (built with PhoneGap Build) and it worked fine. After installing the released version myself, I found that indeed the scrolling in the app was terribly sluggish and video’s only played in fullscreen (not as an embedded inline video).

UPDATE: PhoneGap Build has been fixed, so Build users can simply sign the release apk in the cloud.

What to do?

It turned out, I was not alone in this one: it’s a bug in PhoneGap Build where release APK files are incorrectly build (a.o. no hardware acceleration).

I could have waited for the bug to be resolved, but when writing this blog, the problem was already a month old. In the meanwhile I would’ve had a lot of complaints about Game TV. So I tried:

  • Reverting to the previous version of the app in Google Play. This wasn’t possible, because the newer version was already in use, so Play didn’t allow me to activate an older version.
  • Uploading a previously correctly built version. This didn’t work, because again, there was already a distributed version with a higher buildnumber.
  • Build the app offline, instead of using PhoneGap Build. Ofcourse this could have been done, but it would have been a significant effort and lots of testing, while loosing customers.

Then I wondered: “why can’t I release the debug version of the app?

Sign an Android debug-APK for release in Play

Well, it turns out you can. And that’s what solved my problem. Take these steps to use your debug apk and turn it into a release apk yourself (sorry, Mac example only):

  • Get your debug apk. In my case, I downloaded an unsigned build from PhoneGap Build (set the key-dropdown to ‘no key selected’).
  • Fire up a Terminal and cd to the folder where your apk lives. In this case: GameTV-debug.apk
  • Remove the META-INF dir which contains the debug certificate stuff:

    zip -d GameTV-debug.apk META-INF/\*

  • Now we need to sign it for release with our keystore. For PhoneGap Build users: this is what you uploaded when creating a release key for Android. You’ll need to replace alias_name with the correct value. Don’t know it? Running the first command will show all entries in your keystore, look for ‘Alias name’ in the output, then use that value in the second command:

    keytool -list -v -keystore /path/to/your.keystore

    jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore /path/to/your.keystore GameTV-debug.apk alias_name

  • This will prompt you for your keystore password and sign it with your release certificate.
  • Now it’s time to zipalign the apk and we’re done:

    zipalign -v 4 GameTV-debug.apk GameTV-zipaligned.apk

Upload your zipaligned apk to Google Play and sleep well 🙂

Promo: Using PhoneGap Build for your apps?

If you do, you may also want to use our nice new app: Buildmeister, a mobile app for easily managing your PhoneGap Build apps.
Android app on Google Play

Buildmeister - X-Services