Certificate pinning for Android and iOS: Mobile man-in-the-middle attack prevention

Hi All,

We have developed an Enterprise Business App with Corona SDK and during the security vulnerability scan our security team suggested to implement the Certificate pinning to avoid/prevent the “man-in-the-middle attack” during REST API communication between server and App.

As I understand correctly, it is not supported by Corona SDK yet. I am looking for any alternate option may be any method/library or even Corona Cards plugins to help achieve it.

Below is the reference link which we want to achieve for both Android and iOS: https://www.raywenderlich.com/5634-securing-network-data-tutorial-for-android

Any help will be appreciated!

Daljit

The easiest way that I can see is to create plugins for TrustKit. It is on my list to do but not sure if I’ll get them done this month or next.

https://github.com/datatheorem/TrustKit

https://github.com/datatheorem/TrustKit-Android

Thanks for your response @agramonte!

I tried looking into TrustKit. Since I am not familiar with Android/iOS development as well as plugin development for Corona, may you help me with some resources that I can go through to understand it better?

Also, to give you an idea of the architecture of the app, we have most of our components loaded in the form of HTML pages inside a web view which does REST api communication with the server. However, there are couple of critical components of the app that are build in Corona itself and they also do some REST api communication with the server. My question is, will building a plugin for TrustKit help in both type of communications or just the one implemented in Corona?

Your help is really appreciated!

I don’t really know most of the answers to your questions. I don’t really use web views in my apps so I am mostly concerned with my rest requests. There are other people in these forums that might be able to help you. If I don’t run into and problems and when I implement TrustKit as a plugin, I’ll put it up in the market place. I’ll probably wait until the 64bit build of Corona is working before starting.

Hi agramonte,

As mentioned by you, did you get a chance to work on the plugin for this?

I don’t really use web views in my apps so I am mostly concerned with my rest requests. There are other people in these forums that might be able to help you. If I don’t run into and problems and when I implement TrustKit as a plugin, I’ll put it up in the market place.