I noticed that my app, when deployed to android, is accepting self-signed certificates in the server.
To help with the issue I created a snapshot of what I am doing on StackBlitz as recommended.
https://stackblitz.com/edit/ionic-login-test
I added the cordova android platform and then run:
ionic cordova run android --prod
I then set a local development server using django and set a self-signed ssl certificate managed by nginx, which is listening on https://192.168.0.10/.
When I access the phone for debugging on Chrome, I can see the login occurs successfully.
I would expect to see an error and be sure that the data was not sent to the server, as it could not be verified.
What I would expect is a result
Response with status: 0 for URL: null
and a
Failed to load resource: net::ERR_INSECURE_RESPONSE
at the console.
But instead I am getting the error from the server of a failed login.
I am running everything on Arch Linux.
I posted this issue at their github repository and this seems to be a feature. Self-signed ssl certificates are only blocked when --release flag is added and your apk is manually signed.
Here is the link for ghenry22's reply
Cheers
Related
Problem
We have an app on the Play Store. After signing in, or when the app opens, we make an API request to our server to pull the current account's profile information.
We've had an issue where this request isn't being performed.
What We've Done So Far
Running the app on a device with expo-cli, we traced the issue to an issue with certificates; we were missing the certificate chain.
We updated the configuration, and confirmed the fix when running the app via expo-cli on a device.
However, the app downloaded from the Play Store is still failing at this point in the app. The code we're running through expo-cli is what we built and published to the Play Store.
After routing requests on the the device through a local proxy, we can see that this request isn't being performed, which is what we saw running the app via expo-cli when the SSL handshake was failing. We think it's somehow the same problem or a different issue trusting the server's certificate.
When connecting to the server through a browser on the device, there are no issues with the certificate.
Questions
Any missing information I should include?
Is there configuration for the app that might be affecting our requests?
Is there a way to debug network requests other than a proxy?
Is it possible with eas or expo-cli to build an apk with debuggable true?
Thanks for reading.
Hi mobile experts,
I am working on an SSL certificate. I am running into a problem with the SSL pinning configuration in the mobile app (react-native).
I am using Network configuration for Android and App Transport Security Settings for IOS.
I got the certificate file with the .pem extension and it is successfully pinned for Android. The thing is IOS with a new configuration only accepts the hash key which is typically calculated from the certificate file.
When I am trying to pin the hash key, it is failing for both IOS and Android. Is there any need that the hash key also needs to be configured from the server-side?
This is the error I got:
Text handshake failed; returned -1, SSL error code 1, net_error -202
Android doc: https://developer.android.com/training/articles/security-con...
IOS doc: https://developer.apple.com/news/?id=g9ejcf8y
Hope that anyone has any good information for me.
Thank you in advance!
WebAPI (built with .Net) is hosted on a server and called from iOS and Android apps using HTTPS. No changes has been made in certificates or otherwise. iOS app works fine, web app using the same api works fine but since this morning all Android apps (running on Android version 5x or less only) using the API has stared crashing with this error.
android.runtime.JavaProxyThrowable: System.AggregateException: One or more errors occurred. ---> System.Net.WebException: Error: TrustFailure (The authentication or decryption has failed.) ---> System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server.
Checked certificates, certificate chain, everything. No issues. If the certificate is invalid, no other apps should be working and why all of a sudden. Can someone point to where to look. I searched this site and found a few threads but their solutions require changes in Android app code. That can't be done (and deployed) so quickly. Why all of a sudden, if someone can throw some light on it. Even nothing has been updated in our test Android devices.
Tested the server through ssllab and handshakes come on Android simulations:
Solved and the app on those older Android versions works now. I had to disable COMODO root certificate COMODO RSA Certification Authority with SHA1 key afe5d244a8d1194230ff479fe2f897bbcd7a8cb4 in certificate manager everywhere it was. Apparently windows update added this and it was somehow conflicting and making an intermediate certificate not being sent from the server (in the second certificate chain, the first chain was ok). Normally if an intermediate certificate is not sent, clients download it from the issuer but Android mono framework apparently doesn't do that.
Thank you Adm Selec https://community.qualys.com/thread/15295 for the solution.
I have an Ionic App, which needs to connect to a Server with SSL (It's a HTTPS URL). When I run cordova build and an unsigned Debug APK gets created everything works fine. Once I run cordova build --release and sign the App as demonstrated in the Docs: https://ionicframework.com/docs/guide/publishing.html the request gets cancelled with no Error Message. I found out that this is due a missing SSL-certificate, which Android automatically cancels.
How can I solve this? Just create a Certificate, add it to my Keystore and then?
Or is there something else going wrong?
I'm using a package called coroinium cloud and I have recently set up ssl. Coronium cloud is a server package for apps developed with corona SDK. It uses nginx as the server for the package. There is a control panel that you connect to through your browser which loads fine and firefox says the certificate is trusted. However it does not work on the app but instead shows an error saying the certificate is not trusted (CertPathValidatorException on android). I used a tool by digicert to check the ssl configuration:
screenshot of digicert test
There were instructions by the creator of coronium cloud on how to set it up of which all I followed. I got the certificate from startssl.com and used there Nginx certificate. Does anyone know how I can fix this issue as it is holding me back from developing other features as I now can't use any part of my app till this is fixed.
Thank you in advance to anyone who can help me
You should use the certificate chain provided by your Certificate Authority, in the same time than your certificate, and follow the nxinx documentation:
https://nginx.org/en/docs/http/configuring_https_servers.html#chains
cat www.example.com.crt bundle.crt > www.example.com.chained.crt
And in your server block:
ssl_certificate www.example.com.chained.crt;