Resco Mobile Certificate Pinning validation

This article describes a new security feature now available in the Resco Mobile solution that allows certificates validation. This is an important consideration when you are dealing with mobile devices.

During the last months, we have been working with the Resco.net solution integrated with Dynamics 365 and it has been a great experience. It is definitely a very competitive alternative if you are considering a mobile solution for your business and CRM implementation.

ramontebar_blog_resco.net_web

This new Certificate Pinning validation feature has been introduced in the version 10.2.1. 

Basically it allows the mobile client to confirm if the service that is connecting to (e.g. Dynamics 365) is the expected one.

Normally, once you configure the Resco App with the corresponding Dynamics 365 URL, you would expect that everything would be ok and the connection would be safe based on the TLS protocol:

ramontebar_blog_TLS Certificate

However, in a hostile environment where the network may not be reliable, a malicious party could take advantage of it and intercept this connection, providing a fraudulent certificate:

ramontebar_blog_Malicious TLS Certificate

To avoid this risk, Resco has implemented a certificate pinning validation based on their current solution:

ramontebar_blog_Resco Certificate Pinning solution

Within Woodford, an administrator will now be able to configure the expected certificate(s) thumbprints:

ramontebar_blog_Resco Woodford Certificate settings

The Certificate Thumbprint can be found easily using, for example, Internet Explorer:

ramontebar_blog_Dynamics 365 Certificate root

ramontebar_blog_Dynamics 365 Certificate Thumbprint

In this example, the Mobile Resco App would have downloaded the corresponding Woodford Project with the Thumbprint “62 7C 0A 58 A2 64 76 77 1D 55 74 10 35 56 F8 79 54 33 F6 05”. When the app connects to the service, it compares that value with the one in the actual certificate. If they were the same, it would carry on; otherwise, the user would get the following error:

ramontebar_blog_Resco Mobile App Certificate error

You can find more details about the Certificate Pinning technique in the Open Web Application Security Project (OWASP)

**Images Credits: Icons made by Freepik and Smashicons from https://www.flaticon.com

About Ramon Tebar

Software Engineer specialised on Microsoft Technologies with experience in large projects for different industrial sectors as developer, consultant and architect. I enjoy designing and developing software applications, it is my job and one of my hobbies. I’m interested in design patterns, new technologies and best practices. Making those part of the ALM process is a great challenge. During the last years, I have specialised in Microsoft Dynamics CRM (now Dynamics 365). I customise and extend the platform to provide tailored solutions and integrations based on service-oriented architectures and messages queuing. Motivated by community events and contributor in blogs, technical books, open source projects and forums, I have been awarded Microsoft Most Valuable Professional (MVP) on Dynamics 365 (CRM) since 2012.

Posted on October 23, 2017, in Dynamics 365, Mobile, Resco and tagged , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: