We would like to notify you about upcoming changes in our Verisec Mobile Core SDK library. We have released a new version of the library on November 9th 2022 for both Android and iOS. The only update we have made in this release is a replacement of the certificate used for the Certificate Pinning feature, however this change will require that our customers using our SDK release an update of their respective applications, that will include this latest version of the SDK.
The SDK library communicates with a Verisec service known as Verisec MDS in order to fetch the correct address and certificate of the Customer backend that it needs to connect to. During the TLS handshake between the SDK and the MDS service, certificate pinning functionality is performed as an additional security measure to protect from malicious attacks, where an unauthorized third party might try to impersonate the MDS servers. The current certificate, used as part of this certificate pinning process, will expire on December 11th 2022. Therefore in order to avoid any negative customer impact we will update the MDS certificate on December 1st 2022 .
Customer Impact
We are planning to renew the MDS service certificate on December 1st 2022. Once this certificate is renewed, Customers with the old SDK library version will have the following impact:
- Activation and/or re-activation of new Customer user tokens will not be possible
- Certificate renewal for the Customer’s Verisec MASS servers will not be possible for existing users
Timeline:
- November 9th 2022 – New version of the Verisec Mobile Core SDK library with new certificate was released for both Android and iOS.
- December 1st – New Verisec MDS service certificate is published. By this time Customers should have released a new App version that includes an updated Mobile SDK with the new certificate and make it available to their users.
- December 11th – Current Verisec MDS service certificate expires.
Moving forward: Certificate Pinning to be made optional for current and new Verisec Mobile Core SDK Customers.
Before September 1st 2020, it was possible to obtain multi-year TLS certificates from many public Certificate Authorities (CAs), however after this date the CA/B Forum, integrated by all leading public CAs and Browser vendors, determined that the maximum validity period for all new Certificates would not be longer than 13 months. This has meant that we have had to make these MDS certificate changes every year, instead of every several years, like before 2020. Some Customers of Verisec have expressed to us that in the future they would not want to have to do a release of their Apps just to do an update of the MDS certificate in their SDK, this is why for these customers in Q1 2023 we will be releasing an updated version of the Verisec Mobile Core SDK that will have Certificate Pinning as a configurable option, instead of this being mandatory, like it is today. This so that Customers who do not wish to keep making yearly releases of their Apps due to these certificates updates can disable the feature. Having said this, at Verisec we would still recomend to keep the Certificate Pinning function enabled whenever possible. Impersonation attacks against Verisec’s MDS service servers, or against a Customer’s Verisec MASS servers are not common and we have not yet seen any such attacks in the wild so far, however they do remain a possibility and therefore we will keep our Certificate Pinning functionality available to prevent against these possible attacks, but now as an option, so that Customers can make their own risk-based decisions related to this feature.
For any further questions please get in touch with our service team at SUPPORT@VERISECINT.COM
