2150973 - ManInTheMiddle attack with SMP 3.0.x - SMP | SAP Knowledge Base Article

SAP Knowledge Base Article - Preview

2150973 - ManInTheMiddle attack with SMP 3.0.x - SMP

Symptom

  • Deprecated encryption
    Actually the used encryption type (SSL 1, SSL2, TLS) depends of which one is supported by the server and the highest available will be used.
    We have the requirement to enforce at least TLS on client side even if an undetected man-in-the-middle attack succeeds to simulate that the server only supports SSL1 or SSL2.
  • Certificate pinning
    Actually the default-os-modus is used to verify the validity of the server certificate: certificate chains as RFC 5280.
    That allows easily man-in-the-middle attacks by persons who dispose about trusted signed certificates.
    Instead our requirement is to have a mechanism available, when using OData requests, which verifies on SMP if the requested server
    uses a specific known certificate, which has been send via secure channel to the app or which has been provided with the app bundle as resource.
    The way of delivery is not relevant but the validation against a certificate (as supposed to be existing in the app bundle)

Read more...

Environment

  • SAP Mobile Platform (SMP) 3.0 SP06
  • SAP Mobile SDK 3.0 SP07

Product

SAP Mobile Platform 3.0

Keywords

KBA , encryption , tls , certificate , v1.2 , api , MOB-SDK , SAP Mobile SDK , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.