Resco Mobile Certificate Pinning validation
This article describes a new security feature now available in the Resco Mobile solution that allows certificates validation. This is an important consideration when you are dealing with mobile devices.
During the last months, we have been working with the Resco.net solution integrated with Dynamics 365 and it has been a great experience. It is definitely a very competitive alternative if you are considering a mobile solution for your business and CRM implementation.
This new Certificate Pinning validation feature has been introduced in the version 10.2.1.
Basically it allows the mobile client to confirm if the service that is connecting to (e.g. Dynamics 365) is the expected one.
Normally, once you configure the Resco App with the corresponding Dynamics 365 URL, you would expect that everything would be ok and the connection would be safe based on the TLS protocol:
However, in a hostile environment where the network may not be reliable, a malicious party could take advantage of it and intercept this connection, providing a fraudulent certificate:
To avoid this risk, Resco has implemented a certificate pinning validation based on their current solution:
Within Woodford, an administrator will now be able to configure the expected certificate(s) thumbprints:
The Certificate Thumbprint can be found easily using, for example, Internet Explorer:
In this example, the Mobile Resco App would have downloaded the corresponding Woodford Project with the Thumbprint “62 7C 0A 58 A2 64 76 77 1D 55 74 10 35 56 F8 79 54 33 F6 05”. When the app connects to the service, it compares that value with the one in the actual certificate. If they were the same, it would carry on; otherwise, the user would get the following error:
You can find more details about the Certificate Pinning technique in the Open Web Application Security Project (OWASP).