Certificate pinning can be enabled in individual SDKs through the mobile-services.json file.
Certificate pinning will only be enabled for services which are used directly by the SDKs. For
other services SPKI pinning is used. Mobile services must have pinning configured
separately. For more information on setting up certificate pinning for mobile services see the
Android network security guide.
The Android SDK gets its configuration from the https section of the mobile-services.json file
in a project.
{
"services":[],
"https": {
"certificatePins": [{
"host": "example.sync.service",
"certificateHash": "exampleHash"
}]
}
}To include the https section in configuration when generating it using the Mobile CLI use the
--include-cert-pins flag when retrieving a client configuration. By default, self-signed or
invalid certs will not be permitted to be included in the certificate pinning configuration. To
allow these to be included use the --insecure-skip-tls-verify flag.
./mobile get clientconfig <client name> --include-cert-pins --insecure-skip-tls-verifyIf the https section is included in the mobile-services.json file then certificate pinning will
automatically be enabled for mobile services.
If the certificate authority of a service changes then the mobile-services.json file will need to
be regenerated in order to retrieve the correct https configuration. The app will then need to be
rebuilt and republished for the end users to consume. If this is not done then an app may become
incapable of making network requests to other services.