Whitelist self-signed SSL cetificates in an app?

Question

The scenario is like this, we have a mobile app, which communicates with our backend server over https, the app has native modules and HTML5 parts embeded with webview/Cordova, so some of the https communications are from native calls while others are from ajax calls. We want to use a self-signed SSL certificate for our backend server, which was already in use for some of our existing web apps.

For the past web apps, we only need to instruct our clients to add our self-signed certifcate into the browser's trusted certifcate store and all is good. I wonder what should I do for our mobile app to whitelist our self-signed certificate, especially when connecting with ajax calls from the webview/Cordova embedded HTML5 parts. Currently it seems I can configure the webview to suppress all SSL errors and accept all self-signed certificates, but what if I just want to whitelist our own self-signed certificate?

For example the server address is 192.168.12.25 and I create my own self-signed certificate for that ip address, and I want our mobile app to only recognize this particular self-signed certificate for 192.168.12.25 as valid, not any other arbitrary self-signed certificate.

Answer 1

What you need is SSL pinning. You have to embed the self-signed certificate of your server into the app and build a TrustManager from it. Refer https://developer.android.com/training/articles/security-ssl#UnknownCa for more details.