iOS SSL pinning error - SSL pinning validation failed: ensure the target domain's MASSecurityConfiguration is correctly configured.
search cancel

iOS SSL pinning error - SSL pinning validation failed: ensure the target domain's MASSecurityConfiguration is correctly configured.

book

Article ID: 236087

calendar_today

Updated On:

Products

CA Mobile API Gateway

Issue/Introduction

Customer is trying to run iOS official sample  using its msso_config.json and always get SSL pinning error:

 

 

Running on Android it works successfully.

Environment:

  • API Gateway 10.0 CR3
  • MAG 4.2
  • MAS SDK 2.2
  • XCode 13.2.1 (13C100)

Log error:

2022-02-17 16:26:44.523411-0300 MASAuthentication[10456:308591] Response headers : (null)

2022-02-17 16:26:44.525512-0300 MASAuthentication[10456:308591] Response headers : (null)

2022-02-17 16:26:44.537188-0300 MASAuthentication[10456:308591] -[MASMainViewController invokeAPI:]_block_invoke_2 [Line 363] endpoint result: {

}

How can we make it work ?

 

 

 

 

Environment

Release : 4.2

Component : MOBILE API

Cause

Apple blocks communication below TLS 1.3

Resolution

1.  In iOS the msso_config.json is expected to have the complete chain of certificates in the server/server_certs section. 
iOS does a strict evaluation of server_trust during ssl handshake to check if all the certs in the msso_config.json match.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/mobile[…]os-2-2-guide/SSL-Pinning-and-SSL-Trusted-Certificates.html

2. Problem Resolved after Adding  NSAllowsArbitraryLoads in the app info.plist 

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
  <true/>
</dict>

option was used because "Apple blocks communication below tls 1.3"

Note: MASFoundation doesn't differentiate these errors as non ssl pinning error yet and treats these errors as part of SSL pinning. Because these errors are very generic from Apple.

 

Additional Information

https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity/nsallowsarbitraryloads

Attachments

1654092228081__Image2_PiningError.jpg get_app
1654092205038__Image1_login.jpg get_app