Android / iOS 应用内浏览器上的证书固定
[英]Certificate Pinning on Android / iOS in-App Browser
问题描述
My company follows certificate pinning for mobile.
我的公司遵循移动设备的证书固定。 We're starting to add login via an in-app browser in our mobile apps (similar to google, facebook, and other enterprise companies).我们开始在我们的移动应用中通过应用内浏览器添加登录(类似于 google、facebook 和其他企业公司)。 I spoke to the web team implementing this feature, and they'd never heard for certificate pinning, which is a common practice on mobile.我与实现此功能的 web 团队进行了交谈,他们从未听说过证书固定,这是移动设备上的常见做法。
I'm curious if chrome / safari automatically certificate pin, or if it's something you have to do manually in the browser.我很好奇 chrome / safari 是自动证书密码,还是您必须在浏览器中手动执行的操作。
1 个解决方案
解决方案1
1 已采纳 2019-09-27 17:19:28
I'm curious if chrome / safari automatically certificate pin, or if it's something you have to do manually in the browser.
Chrome was supporting HPKP but its has been removed in Chrome 72 release for both desktop and Android versions. Chrome 支持HPKP ,但它已在桌面版和 Android 版本的 Chrome 72 版本中删除。
You can see a complete list of browser supporting it here , that now looks like this:您可以在此处查看支持它的浏览器的完整列表,现在看起来像这样:
But ironically this site says that is removed for the desktop, but not for Android, and it seems that was never supported in iOS Safari.但具有讽刺意味的是,该站点说它已针对桌面删除,但不适用于 Android,而且 iOS Safari 似乎从未支持过。
and they'd never heard for certificate pinning, which is a common practice on mobile.
I would like to alert you for the fact that certificate pinning can be bypassed, therefore you cannot use it as the only security measure.我想提醒您,可以绕过证书固定,因此您不能将其用作唯一的安全措施。 You can read more in an article I wrote, Bypassing Certificate Pinning to see how certificate pinning can be bypassed in a mobile app.您可以在我写的一篇文章中阅读更多内容,绕过证书固定,了解如何在移动应用程序中绕过证书固定。
In this article you will learn how to repackage a mobile app in order to make it trust custom ssl certificates.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.