Category Archives: Resco

Resco Mobile Certificate Pinning validation

This article describes a new security feature now available in the Resco Mobile solution that allows certificates validation. This is an important consideration when you are dealing with mobile devices.

During the last months, we have been working with the Resco.net solution integrated with Dynamics 365 and it has been a great experience. It is definitely a very competitive alternative if you are considering a mobile solution for your business and CRM implementation.

ramontebar_blog_resco.net_web

This new Certificate Pinning validation feature has been introduced in the version 10.2.1. 

Basically it allows the mobile client to confirm if the service that is connecting to (e.g. Dynamics 365) is the expected one.

Normally, once you configure the Resco App with the corresponding Dynamics 365 URL, you would expect that everything would be ok and the connection would be safe based on the TLS protocol:

ramontebar_blog_TLS Certificate

However, in a hostile environment where the network may not be reliable, a malicious party could take advantage of it and intercept this connection, providing a fraudulent certificate:

ramontebar_blog_Malicious TLS Certificate

To avoid this risk, Resco has implemented a certificate pinning validation based on their current solution:

ramontebar_blog_Resco Certificate Pinning solution

Within Woodford, an administrator will now be able to configure the expected certificate(s) thumbprints:

ramontebar_blog_Resco Woodford Certificate settings

The Certificate Thumbprint can be found easily using, for example, Internet Explorer:

ramontebar_blog_Dynamics 365 Certificate root

ramontebar_blog_Dynamics 365 Certificate Thumbprint

In this example, the Mobile Resco App would have downloaded the corresponding Woodford Project with the Thumbprint “62 7C 0A 58 A2 64 76 77 1D 55 74 10 35 56 F8 79 54 33 F6 05”. When the app connects to the service, it compares that value with the one in the actual certificate. If they were the same, it would carry on; otherwise, the user would get the following error:

ramontebar_blog_Resco Mobile App Certificate error

You can find more details about the Certificate Pinning technique in the Open Web Application Security Project (OWASP)

**Images Credits: Icons made by Freepik and Smashicons from https://www.flaticon.com