We are listening to our customers. One of the most requested features is now available in the Mobile SDK 1.5: how to make secure call to APIs from externals servers (other than MAG), including public servers. In previous versions, you could only make secure APIs calls for applications that were enrolled with the MAG server.
With the new MASSecurityConfiguration object, you can customize the following security items for API calls:
- SSL pinning method
- Certificate (as an array of string, like in msso_config)
- Public Key Hash (as a string)
- Evaluate the domain name of the certificate on the server trust (boolean)
- Evaluate the certificate against root certificates on device (boolean)
- Default credentials injection on API calls (boolean)
For this release, the Mobile SDK supports only the Certificate Signature algorithm SHA256withRSA with Key RSA 2048 bits (the most used algorithm). We are looking at other algorithms like ECDSA (Elliptic Curve Digital Signature Algorithm) and ECC (Elliptic Curve Cryptography).
So, now let’s go direct to the point and see how it works with a step by step sample. We choose a public API that does not require authentication or enrollment to simplify. In this sample we are going to add the ipify as trusted source by creating a MASSecurityConfiguration object and add it to MASConfiguration. Then we will invoke the API to return a JSON containing the IP address of the caller. This step by step will assume you were exposed to MAS SDK before, but if you never used it don’t worry, we will guide you on where get assistance to complete each step.
Before start with iOS part, we need to obtain the Certificate and Public Key Hash of our target host to add the security configuration. So in the steps bellow, we are going to use the OpenSSL to extract those.
Note: The macOS already includes the OpenSSL, if you are using another Operating System please refer to openssl.org.
Get Public Key Hash
1. Open a terminal and type the following OpenSSL command to extract the certificates from the ipify host and store them in a .pem file.
$ sudo echo -n | openssl s_client -connect api.ipify.org:443 | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > ./api.ipify.org.pem
If you list the items in current folder, you will see the file, api.ipify.org.pem.
2. Extract the public key hash from api.ipify.org.pem using the following OpenSSL command.
$ openssl x509 -in api.ipify.org.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
3. Copy the public key hash from the command (to use in a later step).