iOS SSL Pinning

SSL Pinning

The Netmera SDK supports SSL pinning to ensure secure communication with our servers. You can implement SSL pinning in one of two ways:

1. Using a Certificate File (netmera.com.cer) (Supports iOS 11 and above)

2. Using Info.plist Configuration (Supports iOS 14 and above)

Option 1: Using a Certificate File (netmera.com.cer / Supports iOS 11 and above)

This method is supported on iOS 11 and above.

1. Add the Certificate to Your Project

   • Download the netmera.com.cer certificate file and add it to your Xcode project.

   • Ensure it is included in your app's target.

2. The Certificate File Name Must Be netmera.com.cer

   • The SDK looks for the file netmera.com.cer in your project bundle. Ensure the file name matches exactly.

3. No Additional Configuration is Needed

   • Once the certificate is added to the project with the correct name, the SDK will automatically detect it and enable SSL pinning.

Option 2: Using Info.plist Configuration (Supports iOS 14 and above)

This method is supported on iOS 14 and above.

Step 1: Generate the Public Key Hash Use the following openssl command to generate the public key hash for the certificate:

openssl s_client -showcerts -servername your-custom-url.com -connect your-custom-url.com:443 </dev/null 2>/dev/null | \
openssl x509 -outform PEM | \
openssl x509 -inform pem -noout -outform pem -pubkey | \
openssl pkey -pubin -inform pem -outform der | \
openssl dgst -sha256 -binary | openssl enc -base64

Replace your-custom-url.com with your custom URL if you are an on-premises customer or use sdkapi.netmera.com for the default Netmera service.

Example output:

A1C7RK0nAsHviju64ImO48VgSY5FdOMxv9GJh0uMXJQ=

Step 2: Add the Configuration to Info.plist Open your app’s Info.plist file and add the following configuration:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <false/>
    <key>NSPinnedDomains</key>
    <dict>
        <key>your-custom-url.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSPinnedLeafIdentities</key>
            <array>
                <dict>
                    <key>SPKI-SHA256-BASE64</key>
                    <string>A1C7RK0nAsHviju64ImO48VgSY5FdOMxv9GJh0uMXJQ=</string>
                </dict>
            </array>
        </dict>
    </dict>
</dict>

Replace:

• your-custom-url.com with your custom domain (for on-premises customers).

• SPKI-SHA256-BASE64 with the hash value generated in the previous step.

Step 3: Save and Build Your Project After adding the configuration, save the Info.plist file and rebuild your project.

Compatibility

Important Notes

1. Choose Only One Method:

   • Do not use both methods simultaneously. The SDK will not function correctly if both methods are implemented.

   • Select the method that aligns with your project requirements.

2. On-Premises Customers:

   • The certificate file name must remain netmera.com.cer.

   • If you are using the Info.plist method, replace sdkapi.netmera.com with your custom URL.

3. Certificate Updates: If the server certificate changes, update the netmera.com.cer file or regenerate the public key hash and update your Info.plist.

4. Testing: Test your SSL pinning implementation using tools like Proxyman to verify that requests fail if the certificate or key hash does not match.

By following this guide, you can secure your app's communication with Netmera servers using SSL pinning. If you have any questions, please contact our support team. 👍