mTLS client certificate authentication on Android & iOS clients

Hello.

I won’t say anything new.
This discussion/request still goes on after many years on different platforms/forums.

I have a single, just one simple question: Why there’s absolutely no support for mutual TLS authentication on mobile devices?

Well, let me quote a question on GitHub nextcloud from user “igomezl”:
(link: Use SSL Client Certificate to improve security · Issue #847 · nextcloud/ios · GitHub )

+1. Having at least the capability to authenticate the user using a client certificate in the mobile app would be a good starting point. mTLS is being widely adopted, I wonder why Nextcloud is not following this recommendation .”

This question is from two days ago as time of my writing. This is not the only discussion/issue on that topic. As far as i can remember those dates back to 2017.

As many pros confirmed many times on many occasions , that’d reduce the attack surface for 99%.

So, why there’s no support for mTLS for mobile clients?
What’s the Nexcloud motto? “Regain control The self-hosted productivity platform that keeps you in control” ?

Well, i have another explanation for this…
Since this support is totally ignored for more than half a decade, it’s obvious somebody somehow does not want it to happen. (99% surface area attack would be reduced for most private, on premises servers).

I think that after all this time, it’s time to take those requests seriously.
(Otherwise you can forget privacy.)

Thank You in advance,
MaPo

this is mainly support forum for private users. feature requests should be discussed on github (as you referenced).

from my point of view existing authentication methods including MFA and SAML (which in turn are extensible and could include Client Cert Auth) are more then sufficient, adding another one doesn’t improve the security of the system but increase the complexity.

From Wikipedia mTLS definition it’s more than clear mTLS is not really good suited for end user application scenarios with changing clients…

By default the TLS protocol only proves the identity of the server to the client using X.509 certificates, and the authentication of the client to the server is left to the application layer. TLS also offers client-to-server authentication using client-side X.509 authentication.[13] As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it’s rarely used in end-user applications.
Mutual TLS authentication (mTLS) is more often used in business-to-business (B2B) applications, where a limited number of programmatic and homogeneous clients are connecting to specific web services, the operational burden is limited, and security requirements are usually much higher as compared to consumer environments.

1 Like

this is mainly support forum for private users

I apologize if i missed the correct forum. (Moderator/Admin can move it to the proper one.)

As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it’s rarely used in end-user applications.

No, it is not. It’s a standard in B2B (like you’ve mentioned), healthcare, banking and governmental institutions, etc…
And… No, it’s not overburden in such situations. Neither for IT security departments nor as for end users.

and security requirements are usually much higher as compared to consumer environments

I concur. Yes, of course. (That’s the point.)

I wonder…

  • Why Nextcloud desktop client does support mTLS ?
  • Why Nexcloud Talk mobile client does support mTLS?

So… What seems to be the problem with mTLS integration for the mobile file sync app.?

from my point of view existing authentication methods including MFA and SAML […cak…] are more then sufficient

Well no, they are not. I can’t agree.