Client Certificate on Titanium Appcelerator - ssl

Keeping things simple: I need to add client certificate to a mobile app developed in Titanium but I have no clue about how to start.
I have found no info on the next, except:
A reference on Titanium Dev Site to a 'securityManager' class, which should finally implement a platform-based method.
An HTTPS module for Titanium but seems to cover only server key pinning, not client certificate.
On the other hand I was trying to find any additional component which speeds up integration of a TLS layer, including the client cert. feature. So far I have found this but it seems that the HTTP feature is not well documented.
Basically the question is, is there any way to implement client certificates on Titanium Appcelerator? (versions SDK 5.5.0; Studio 4.7.1).
Any suggestion will be greatly appreciated.

Unfortunately the pinning was not enough in our case, we have a client asking specifically for Certificate Authentication.
I ended up rewriting a whole new http client starting from this module
https://github.com/ioxdue/two-way-authentication/tree/master/HTTPSSLTiModule
The delegate "didReceiveAuthenticationChallenge" only works with NSURLConnection, Titanium used to use that library up to the 3.4.0 SDK but then switched to a different library.

Related

The IAP server-side module in php

My hired service does not allow JAVA application to run at the service provider. Therefore, IAP server module must be implemented in php.
I wrote php code. I think I can implement it. But if someone has already done it, I would save some development time.
Please inform me is there public IAP server-side module PHP implementation?
IAP servers have a huge range of complexity depending on the needs of your business. The simplest implementation would be just a receipt validator, and there are a handful open-source examples of this on Github (https://github.com/aporat/store-receipt-validator)
Since you mentioned saving development time, there are services such as RevenueCat that manage a complete IAP server for you.

Does NativeScript support certificate pinning|

I'm doing some research on cross-platform mobile development with NativeScript and I've been unable to find any information on certificate pinning in NativeScript. I know Telerik provides the secure-http module to achieve true certificate pinning for hybrid mobile apps, maybe I looked over it in their roadmap.
Cheers.
Yes you can do it via one module is called nativescript-https
Install the plugin:
tns plugin add nativescript-https
You required to setup certificate as well, Please check this nativescript-https for more details

What is API-facing code?

so I'm wondering what does API-facing code mean? I have been googling it, but I can only see sentences with it, but not explanation for it...
Context: "The code supporting this article has been provided as a single Android app for illustrative purposes. In practice you should not distribute your server-side API keys in an Android app as your key cannot be secured against unauthorised access from a third party. Instead, to secure your keys you should deploy the API-facing code as a server-side proxy and have your Android app send requests via the proxy, ensuring requests are authorized."
Can you explain to me what API-facing code means? Thank you and I'm looking forward to your reply!
In this context, "API-facing code" is the code that interacts with the API. They are suggesting the creation of a server component (proxy) that sits between Android and the API, so that the key does not need to be distributed with the Android app. (Instead the "in-between" piece on the server holds the key.)

Feasibility of iOS App using Windows Azure Service Management API?

I have been struggling with setting up an iOS (Objective-C) app which utilizes the Service Management APIs. I've successfully was able to get Storage API calls working fine, but from what I'm reading, one big difference between the two Azure APIs seems to be a matter of authentication. For reference, what I'd ideally like to do is setup a simple API call to list the Hosted Services accounts in an app (eventually geared for public deployment).
According to the API Azure documentation, the Service Management APIs require a management certificate (.cer) to be uploaded and then for the client to utilize that cert to authenticate the request. My hunch is that this will prevent an app like the one I want to create from being feasible by any means, since public users with devices containing the downloaded app won't have that cert or the ability to attach it programatically in the objective-c code.
Is my hunch correct on this? Is this a forlorn idea that should not be pursued? I would think for this to be possible, the user would be required to upload their device's cert file to Azure somehow, and then to somehow have the app use this cert for authentication. I'm a bit lost on where to even begin on that, even if it is possible. :(
Any helpful info would be greatly appreciated. I have a lot of experience in the iOS side of things, but specifically in authentication/certificates of this type, I unfortunately have minimal experience.
Thanks in advance!!
-Vincent
Actually, I have an app that does exactly what you're talking about. CloudTools for Windows Azure is an iOS app that uses the Azure Management Service API to perform Azure management. It's been on iTunes for over a year.
Your question is somewhat broad, but I can tell you that the certificate issues were by far the biggest issues in designing/developing the app. You can't store the certificate in keychain, because keychain works in a manner such as this: a) you request a remote url that requires a certificate; b) that url tells you that it needs a certificate and c) keychain provides an appropriate certificate. It's a multi-request process. That won't work for Azure, because Azure service management APIs expect the initial call to include the certificate.
I require the users to add their certificate through iTunes File Sharing (steps here). Of course, they have to upload the public key portion to Azure. Then, I provide the certificate and private key with each request. I use the HTTP library ASIHttpRequest, although I believe that the latest (iOS 5.x) Apple libraries have similar functionality.
I'd be happy to provide any further details if you have any follow-up questions.
With Windows Azure, if you are using Service Management API then you really need to have certificate based authentication to create a SSL tunnel between your machine which is requesting the connection and Windows Azure Management Portal. I am not sure how wide your iOS application distribution is.
My first thought is that why would you want to deploy Windows Azure application from an iOS application, are you going to build application in iOS devices and deploy? Windows Azure Application deployment is mostly done on client machines so, Azure application management on iOS is great idea, however Application deployment from iOS not sure why. May be you are on something big here.. In both cases you really need Service Management Certificate on iOS device. If it is an enterprise app where you can let users to install Service Management certificate, it would be easier for iOS devices to use Service Mgmt API.
So if you want to use Service Management API from a client iOS app, I think the best solution will be to have WCF service hosted in Windows Azure which is configured to directly connect with your Windows Azure Portal. And from your iOS app, you just make call to your WCF service. This is very popular method to access service management API (through WCF Service) from any client app (WP7, iOS, Android) and the client side code is very light. On other hand you may need to pay to host a WCF service on Windows Azure.

Client side ssl in J2me?

How can we implement client side SSL in J2ME?
Any available resource or source code??
I want to validate the particular service is accessed by a particular phone.
The bouncycastle Java libraries have a J2ME version (now called JME) that includes an SSL/TLS api.