SAP Knowledge Base Article - Preview

2150973 - ManInTheMiddle attack with SMP 3.0.x - SMP


  • Deprecated encryption
    Actually the used encryption type (SSL 1, SSL2, TLS) depends of which one is supported by the server and the highest available will be used.
    We have the requirement to enforce at least TLS on client side even if an undetected man-in-the-middle attack succeeds to simulate that the server only supports SSL1 or SSL2.
  • Certificate pinning
    Actually the default-os-modus is used to verify the validity of the server certificate: certificate chains as RFC 5280.
    That allows easily man-in-the-middle attacks by persons who dispose about trusted signed certificates.
    Instead our requirement is to have a mechanism available, when using OData requests, which verifies on SMP if the requested server
    uses a specific known certificate, which has been send via secure channel to the app or which has been provided with the app bundle as resource.
    The way of delivery is not relevant but the validation against a certificate (as supposed to be existing in the app bundle)



  • SAP Mobile Platform (SMP) 3.0 SP06
  • SAP Mobile SDK 3.0 SP07


SAP Mobile Platform 3.0


KBA , tls , v1.2 , encryption , api , certificate , MOB-SDK , SAP Mobile SDK , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.