cer certificate inside iOS bundle - is it dangerous?

Question

My iOS app uses SSL connection to my server API. Using AFNetworking and AFSSLPinningModeCertificatemy app connects to https.

I've just created a .cer file using the command: openssl x509 -in server.crt -outform der -out server.cer from my server.crt.

And it works. Good.

But, is it dangerous to simple include this file in my app bundle? I can obtain it simple from my .ipa file (using the unarchiver - show package content).

Any ideas? Thanks in advance.

Answer 1

In short yes its fine.

You can probably just go to the host you're connecting to in your browser anyway and download that same certificate. It's a public piece of information, you pin the certificate to verify that no 3rd party has intercepted the request (effectively a man in the middle attack) and messed with the data - they would have to re-encrypt the data with a certificate that would be different from the one you were expecting. Your app would then see this and abort the request.

What you don't want to do it bundle the private key of the certificate (there might be a better name for it) as then an attacker could use this to resign any intercepted requests with your certificate/key and imitate your server.

The only down side is that when the certificate expires you'll need to update the app bundling the new certificate with it.