Announcements Developer

SDK Update: Certificate Pinning

Release Dates: Current Version of iOS 3.1.1, 8th April 2020 Android

Developers, apologies for the short notice on this app update.

Action Required: Please update all your in-store apps to the latest version of the digi.me SDK. The updated apps will need to be in the app stores by, 29th April 2020 for iOS and before 24th June 2020 for Android. This will ensure ongoing access to data and consent through the digi.me SDK’s.

Why: We have updated our security certificates in line with our regular certification pinning policies and as such only apps using iOS version 3.1.1(Current version) or Android version 2.2.1 (Due for release 15th April 2020) or higher will we able to access the digi.me platform. There are no code changes required however your apps will need to be rebuild and re-published with the latest SDK before the above dates in order to ensure data access continuity.

Key Info:

  • Update your in store apps to the latest version of the digi.me SDK for continuity
  • All app updates need to be in store before the April 29th 2020 for iOS and before 29th June 2020 for Android.
  • Any using the old SDK and therefore old certificates will fail with an error 999

What is certificate pinning and why do we use it?

Certificate pinning is used by digi.me to ensure the integrity of the data and the source requesting it. When using just SSL certificates alone impersonation can become an issue, with certificates being copied and used by third parties. Certificate revocation doesn’t tend to work as a complete solution nor does third party validation as they move the problem without resolving it. Instead digi.me use a technique known as “certificate pinning” to ensure that the TLS certificates used by our API match those expected by the clients. If they vary at all, say because of an attempted man-in-the middle attack, then the connection is rejected and a suitable warning is presented to the user.

The current round of certificate changes has been brought about due to the changes in response to Apple updating their own certificate policy from a 3-year cycle to a 1-year cycle. This means that in order to align to the Apple certification policies we have therefore adjusted our own certification cycles. We will be updating our certificates regularly. We will usually give more notice than we have done with this release and our apologies for the short notice.

Help & Support: Should you have any questions around certificates and security. Please don’t hesitate to give us a shout on either our support forum or on slack.