MicroStrategy ONE

Add Trusted Server Support in Android

Trusted server support strengthens the normal security provided by HTTPS, in particular making it difficult for a malicious server to carry out a man-in-the-middle attack. While HTTPS simply checks to see if a certificate in the certificate chain for the server exists in the trust store on the mobile device, trusted server support compares the public key for the Mobile Server with the same public key bundled into MicroStrategy Mobile on the mobile device.

Like any other application contacting a server, when a MicroStrategy Mobile application attempts to connect to a Mobile Server, it first performs the standard HTTPS certificate verification. If HTTPS verification is successful, MicroStrategy Mobile then checks to see whether it should verify that the Mobile Server is a trusted server. It does this by looking in the pins folder to see if there are any certificates in a folder with the name of the Mobile Server. If it finds a certificate, it compares the hash of the public key in that certificate with the hash of the public key in the certificate on the Mobile Server. If the hashes match, connection is allowed.

The MicroStrategy Mobile implementation of trusted server support follows the IETF certificate pinning guidelines. In addition to minimizing the risk of a man-in-the-middle attack, trusted server support has the advantage that it will continue working even if the certificate for the Mobile Server changes—for example, if it expires. There is no need to recompile the MicroStrategy Mobile app since the public key itself has not changed, only the certificate. There is also support for multiple certificates for a single Mobile Server. This allows you to create a backup certificate for a Mobile Server, without deploying it, and bundle that certificate in MicroStrategy Mobile. If your existing certificate is compromised, the backup certificate can be deployed and your app can keep working.

  1. Use the command below:

    openssl s_client -connect fully-qualified_server_name:port# -showcerts> certificate_file_name.pem </dev/null

  2. Open the .pem file that is generated and keep only the content from "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----".
  3. Save the modified .pem file.
  4. Determine the "Common Name" of the certificate that was issued. This should be the fully-qualified name of the Mobile Server—for example, myMobileServer1.myDivision.myCompany.com.

To add trusted server support, or certificate pinning, to MicroStrategy Mobile, do the following: 

  1. Open the MicroStrategyMobile project in Android Studio.  

  2. Go to the app -> src -> main -> assets -> pins folder.  

  3. Under the pins folder, add a separate folder for each Mobile Server that you want the MicroStrategy Mobile application to trust. The name of the folder (case-sensitive) should be the fully-qualified name of the Mobile Server—for example, myMobileServer1.myDivision.myCompany.com.  This should be exactly the same as the "Common Name' for the certificate that will be placed in the folder.

  4. In each Mobile Server folder, add the .cer or .pem certificate that should be trusted when MicroStrategy Mobile tries to connect to that server.  

  5. Save your changes.  

  6. Compile the application and deploy it to users.

The names of folders and certificates are case-sensitive.