What's your use-case for limiting access in this way?
Personally, I'd just use a certificate that will work on mobile devices from a trusted CA (letsencrypt.org is free!). Then the user doesn't have to install any certificate in order to access your app. If you need additional controls, use authentication.
Doing client certificate authentication is not available at the webview level.
To do so would require sending your calls over native via a plugin instead. I once upon a time had to fork the best plugin for Certificate Pinning and add in Certificate Authentication. GitHub - SpiderOak/cordova-HTTP: Cordova / Phonegap plugin for communicating with HTTP servers. Allows for SSL pinning!
It comes down to having to let go of communicating with Ajax/XHR etc, and communicating via the plugin only (at least while authentication/pinning is important).
It might help you, it might not, but at least it might help you understand what might be involved.
The customer decides to implement an additional authentication server side on the Web Application Firewall (WAF). The goal is not to prevent a 'man in the middle attack'. We already use basic authentication for our app. So this particular customer wants to habe a two-way authentication with:
- Basic authentication (already implemented and in use)
- Server side authentication on the Web Application Firewall (WAF) by client certificate (not implemented)
Thank you for the plugin recommendation. One question: Is it also possible to use certificates which are password protected?
Just to make clear -- if the user opens a browser and navigates to your web app, they get prompted to install a certificate? If so, I don't see how that adds any additional security, since everyone who navigates to the web app will be prompted to do so. Or are they required to enter an additional password (based on your last reply)?
You also mention "The goal is not to prevent a 'man in the middle attack'" -- I want to make sure that you mean you aren't trying to prevent an MITM attack. Is that correct?
Also, is this an app that's going to be distributed by the app store, or is it an internal-only enterprise app? If the latter, I'd use MDM to deploy the appropriate certificates to user devices.
The goal (of the customer) is to make sure only 'certified' devices get access to the backend. I'd say that the following thread on stackoverflow describes it very nicely:http://stackoverflow.com/questions/25924881/ios-client-certificates-and-mobile-device-mana gement. They wrote: "Our customers want to use an MDM (mobile device management) solution (MobileIron) to install client certificates onto corporate iOS devices, in order to limit access to certain corporate web services to corporate devices only."
Since our specific customer doesn't (yet) have an MDM solution in place but just a WAF they want to do the following:
1) Install app from App store
2) Generate client certificate
3) Install client certificate on iOS device (using a PWD only available to sys admin) in Settings > General > Profiles
4) Start app and enter server URL (https), username and PWD (this is the login information required by our app)
5) ** Here the magic happens where not just MITM is avoided but the WAF can verify the clients certificate **
6) User can use the app respectively the web services
- I wouldn't publish an app like this on the app store. It sounds like this is for a very limited audience, namely the customer's employees, especially since they indicate that they intend on using MDM at some point in the future. It makes more sense to use the Enterprise or B2B programs (for iOS)
- Ok; I think we were originally thinking that the server was providing the cert, but the way I understand it is that the server is requesting the client provide a certificate, correct? And this certificate is what you're installing into the profile.
- I suspect you're going to need to get into native code and write a plugin in order to really do this. The following may be useful, however:
I'm not sure any of that's terribly useful or not, though.
Yeah, I agree with Kerri that this might be best NOT on the general App Store, but the plugin I posted above will allow Client Certificate authentication, you just need to do all requests via it instead of via XHR, etc.
Thank you kerryshots and devgeeks for your help. We are going to clearify with the customer for alternatives.