I've read a tutorial about Apple push notification
here
Due to it, I have to provide App Id to identify which application will receive the notification.
In case of MDM server, the receiver is built-in client, so what value I have to put in field "App Id" when I register for SSL certificate
on another question I've post, I was answered that in case of MDM, the field "Topic" is used for built-in client to receive the notification. Topic is put in MDM payload that server sent to client. So how server register this field with APNS
Thank all,
1) You don't go through usual push certificate creation route.
What you do is following
You create a CSR for APNS request signging certificate
You send it to Apple and Apple will sign it, so you will have APNS request signing certificate
Each custom will create APNS CSR and send it to you
You will sign it with APNS request signing certificate
You will return this APNS CSR to the customer
The customer will upload it to Apple
Apple will sign it
Now, the customer has APNS certificate
The customer uploads it to the MDM server
All of these is described in a lengthy details in MDM protocol documentaion.
2)Here is how topic is shared between a client and the server
APNS certificate signed by apple will have a topic in it (in UID part of DN)
Your MDM server should extract it from APNS certificate and put it in MDM payload.
This payload will be delievered to a device and OS will send it to buil-it client
Now, both your server and built-in client know the shared topic.
Related
I am looking for device authentication where
I want to make sure that all calls to my web service\Website (hosted on Google App Engine) Is coming from an authorized device only, using a device certificate.
Each device will have a unique certificate that cannot be transferred to other devices.
A device certificate can be revoked anytime.
To achieve the above, I am planning to have another Service which would issue certificate to devices which is approved to use my service. I will issue the certificate via email to the user where he will install it manually. My users will use browser to access my service.
But I am not sure how would I achieve points 2 and 3.
Can you please guide as to how to achieve this using a self signed certificate?
I want to make sure that all calls to my web service\Website (hosted on Google App Engine) Is coming from an authorized device only, using a device certificate.
You can use a SSL channel with client authentication or adding a digital signature to your messages
Each device will have a unique certificate that cannot be transferred to other devices.
it is not possible to ensure this using software certificates. If you distribute them by email, the user could install them in several devices.
You could use a hardware token (nfc/bluetooth) or preinstall the certificate in the Android/iOS KeyChain so it would not be extractable. but this complicates the distribution very much.
A device certificate can be revoked anytime.
Check revocation at server side before accepting a request from a client. There are standard protocols to do this ( OCSP, CRL), or use a custom mechanism since you issue them yourself
I have installed a SSL certificate (comodo PositiveSSL) for my domain and forced NGINX to only use HTTPS.
I run the test on SSL analyzer
https://sslanalyzer.comodoca.com/?url=domain.com
Validation Type Domain Validated (DV)
Trusted by Microsoft? Yes
Trusted by Mozilla? Yes
We have our mobile app for Android and IOS getting some data from our https://example.com/api webservices.
So i have installed Packet Capture mobile app on my android to verify whether the data transferred between the webservice api and our mobile app is secured.
First i tried with enabling the following in Packet capture mobile app :-
I have contacted comodo ssl support, they said
that the certificate is installed well and its working fine. There is
nothing wrong with the certificate and installation process and the
web-site https://example.com/ is also completely secured with Green Pad
lock on it.
I run the same test on instagram app, when open instagram , showing network error. Like instagram discovering by some way that i am trying to capture a network packets so their app network will be disabled.
I want to do the same way of what instagram did .
Please Advice.
Don't worry, if your certificate is valid and contains the right domain name then you've already done everything needed.
A "man in the middle attack" is an attack done on the client.
The client think the attacker is the website by compromising his DNS
Then the attacker relay in and out traffic from/to the real server.
The server is secure but not the client.
Like RamKumar said the client need to trust the attacker certificate like you did
EDIT:
You can also use TLS with mutual authentication (mTLS).
With this protocol the client AND the server exchange certificate public keys.
It work as follow:
A client requests access to a protected resource.
The server presents its certificate to the client.
The client verifies the server’s certificate.
If successful, the client sends its certificate to the server.
The server verifies the client’s credentials.
If successful, the server grants access to the protected resource requested by the client.
Some sample:
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/october/mutual-authentication-in-android-and-ios/
With this protocol the man in the middle attack is still possible but the attacker's certificates need to be trusted by both client and server
Another custom approach would be to add another layer of encryption using asymetric cipher.
To remove that possibility you can use Certificate Pinning to make sure that only the specific Certificate you use can be used to prevent the device from using any other Certificate, even if it was signed from a trusted CA. This may still be circumvented by a user, but now he has to modify the application itself in order to disable the check, or change the pinned certificate
Have a look at how Certificate Authority (CA) works. In your case, what happens is that the Packet capture mobile app installs it's own CA. Now Packet capture becomes a trusted CA for your device and certificates signed by them are accepted. Then this app creates its own certificate saying example.com and signs it.
So when it performs man in the middle attack, the client (your app) communicates with Packet capture and not example.com, but your app believes it's communicating with the example.com, since the certificate provided by Packet capture is signed by a trusted CA (Packet capture CA itself).
Hence this works only when your install their CA. However a secured connection is made between Packet capture and example.com
A stupid question, as I have a bad head for HTTPS and SSLs.
The question is simple. As I've read at Apple APNS guide, there is required a SSL certificate. Should this certificate be linked only with my App ID or it should somehow represent my server to the WEB?
In other words: is it possible to set up the push-server over the HTTP, or it should be HTTPS only?
SSL certificate is needed to verify/identify the sender and the app where push will be send to.
From article Certificate-Based Provider-to-APNs Trust
A certificate-based provider connection is valid for delivery to one specific app, identified by the topic (the app bundle ID) specified in the provider certificate (which you must have previously created, as explained in “Generate a universal APNs client SSL certificate” in Xcode Help)
To answer on your question:
Should this certificate be linked only with my App ID or it should somehow represent my server to the WEB?
It have to be linked with your app id. And it is used to setup secure connection between your server(PN provider) and Apple Push Notifications server (for sending request from server to APNS)
What are the checks that will be performed when we call the method WL.Client.pinTrustedCertificatePublicKey for MobileFirst hybrid app ?
This is all explained in the documentation. See here: http://www.ibm.com/support/knowledgecenter/SSHSCD_7.1.0/com.ibm.worklight.dev.doc/monitor/c_cert_pinning_intro.html
Certificate pinning is the process of associating a host with its expected public key. Because you own both the server-side code and the client-side code, you can configure your client code to accept only a specific certificate for your domain name, instead of any certificate that corresponds to a trusted CA root certificate recognized by the operating system or browser.
A copy of the certificate is placed in your client application. During the SSL handshake (first request to the server), the IBM MobileFirst Platform Foundation for iOS client SDK verifies that the public key of the server certificate matches the public key of the certificate that is stored
in the app.
If pinning is successful, the public key inside the provided certificate is used to verify the integrity of the MobileFirst Server certificate during the secured request SSL/TLS handshake. If pinning fails, all SSL/TLS requests to the server are rejected by the client application.
The API initiates the pinning process.
I have a Progressive WebApp Chat application and I want to be able to be able to send or receive Push Notifications (on Mobile) and Web (Chrome) Notifications while on Desktop. Right now, I have a web client that is able to receive tickles i.e. data without payloads (payloads will then be fetched through an API call from my server)
I am using Pubnub to talk to GCM and APNS. I have working apps on Web, iOS(native) and Android(native) clients of my project. Right now, I am able to receive Push Notifications on my web app but without the payload.
No where is the server publishing anything. All publishes are done by the clients since its mainly a chat app.
From my Web/Android client, my pubnubPayload is:
var pubnubPayload = {
"text": "no payload!",
"pn_gcm": {
"data": {
"title": "shash",
"babe": "ya"
}
}
}
And then do a normal publish like this:
Pubnub.publish({
channel: myChannel,
message: pubnubPayload,
callback: someFunc
});
So, when I subscribe to a pubnub channel like this:
Pubnub.subscribe({
channel: selectedChannel,
message: function(m){
console.log(m)
},
error: function (error) {
// Handle error here
console.log(JSON.stringify(error));
}
});
I receive the message through Pubnub AND a push notification (but without the payload) on my webapp.
My question is:
How do I receive push notifications on web that have a payload? Is there someway pubnub lets you publish encrypted messages for webs client to be able to read the payload of the GCM push notification without using Pubnub's Access Manager?
Or is using PAM my only option and should fix the no payload issue?
PubNub Access Manager not required for Message Encryption
PubNub Access Manager and message encryption are not directly related and is not required to encrypt your messages, but all applications using PubNub should implement Access Manager to control who can do what on channels by granting permissions (read/write/delete) to auth-keys that your client apps will init PubNub with to use those channels as you intended.
Encrypt using Standard TLS (formerly known as SSL)
To encrypt messages, simply initialize PubNub with TLS enabled (ssl might be the name of the parameter but it is the latest TLS, not the old SSL that was deprecated). This will use standard TLS encryption from your server or client apps to the PubNub network.
Encrypt messages using Cipher Key for AES 256 Encryption
If you wish to have your messages encrypted from your server/client apps to PubNub and all throughout PubNub, just provide a cipher key when you initialize PubNub. The best part about this is that you hold the keys, not PubNub, so no one can read your messages except the holders of those cipher keys.
Custom Encryption using the encrypt/decrypt API
The question asked here includes mobile push notifications which means you can't encrypt the full message if you want the mobile push message to be sent by PubNub to the push services (APNS/FCM) and handled by those services properly. The realtime message will be sent as is - encrypted - to the client subscribers. But you can encrypt the important/confidential parts of the message and leave the parts that need to be ready by PubNub and the push services unencrypted using the encrypt and decrypt APIs. The article, Encryption for APNS, GCM, WMS with PubNub, is a bit old but should provide the required insights.