In high security enviroments SSL pinning is important as an additional security measure. This talk is going to cover SSL pinning on iOS using the AFNetworking.
2. What is SSL?
• First, what happens when you make an SSL
connection?!
• The client checks that the server’s certificate has
a verifiable chain to a root cert!
• The certificate matches the host name!
• It does NOT check if that is your certificate
3. What is SSL pinning?
• In a nutshell checking if the
server’s certificate is
exactly the certificate
you expect it to be!
• Additional layer of
security vs MITM
attacks!
4. Pinning possibilites
• Pin a certificate!
• Where you match a certificate to a certificate!
• The app needs to be updated every time you renew the
certificate!
• Pin a public key!
• Where you match a public key!
• The app needs to be updated only if the renewed certificate
has a different key
5. Technical implementation
• In iOS, using AFNetworking!
• What you’ll need!
• an iOS app,!
• AFNetworking,!
• a binary certificate to pin.
6. Technical implementation
• How to recognise a binary vs base64 certificate?!
• It does not look like this:!
-----BEGIN CERTIFICATE----394230AFDFD4A9EFD...
-----END CERTIFICATE-----
• Luckily, the above base64 can easily be converted
by running the following command:
openssl x509 -in base64.crt -outform der -out binary.cer
7. Technical implementation
• Add the certificate to your apps resources bundle!
• Set your security policy to the pinning mode of your
choice:!
•
[securityPolicy setSSLPinningMode:AFSSLPinningModeCertificate];!
•
[securityPolicy setSSLPinningMode:AFSSLPinningModePublicKey];!
• Done!
8. Pitfalls
• Don’t pin the root certificate or the entire bundle!
• Certificates need to be in the same project bundle
as AFNetworking!
• If not, add them manually:
NSString *cert = [[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"];
NSData *certData = [[NSData alloc] initWithContentsOfFile:cert];
!
policy.pinnedCertificates = @[certData, nil];