To ensure integrity and confidentiality, all communications between the app on-device and target servers should be strongly encrypted. SAP Fiori Client must use the HTTPS protocol for communications over network connections.
Besides strong encryption of the data during transfer, the contacted server has to prove its identity by showing a TLS (Transport Layer Security) server certificate when connecting via HTTPS, so the app acting as HTTPS client can validate the identity of the server with which it is communicating. Validity and trust of the server certificate needs to be verified on the client side for a successful connection setup.
When using the HTTPS protocol, mobile applications should ensure that the server certificate verification comprises checks for the following:
Matching of hostname and certificate subject name
Certificate issued by a trusted Certificate Authority (CA)
Basic constraints (allowed to act as Certificate Authority and maximum depth of certificate path) and key usage (defining the purpose of the key contained in the certificate)
The whole certificate chain up to a trusted root CA certificate has to be included in the verification. Mobile applications should not pass locally managed trusted certificates into this verification call for server certificates, but always rely on trusted root CA certificates as available in the device's default root store (sometimes also called "anchor store"). Customers should either use server certificates from well-known CAs where root certificates are shipped with the device operating system, or use mobile device management (MDM) software to provision additional trusted root CA certificates to the default store of the device. If server certificate verification fails, no connection should be set up. Users should not be asked whether they want to continue and accept a server certificate where trust could not be verified.