Preventing man-in-the-middle attacks with AS3/Air app

Question

I am writing a client app for Air in FB 4.7 and AS3. The app makes a call to an authentication service that sits behind nginx that is set up for SSL. I can successfully implement "certificate pinning" with SecureSocket, but can't figure out how to then send an HTTP request using SecureSocket. I understand the main use case for SecureSocket is for direct TCP socket communication, but I can't figure out how to do certificate pinning with UrlRequest/UrlLoader.

Is it possible to:

1.) Send an HTTP request with SecureSocket, with which I've already been able to enable "certificate pinning".

2.) Gain access to the server cert with UrlRequest/UrlLoader (or HttpService or UrlStream...) so that I can compare with a locally stored public key or copy of the server's cert.

3.) Using UrlLoader, automatically distrust invalid certs: If someone intercepts the request with a self-signed cert, don't prompt the user and allow them to continue even with an untrusted cert.

4.) Some other method of preventing man-in-the-middle attacks that I'm not thinking of...

Any help with this would be hugely appreciated!

chris.campbell · Answer

Moved to the AIR development forum in hopes someone here might have some suggestions.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded