Let’s write Swift code to intercept SSL Pinning HTTPS Requests
One of the popular ways to inspect HTTPS requests in iOS Apps is the Man-in-the-middle (MITM) attack. This technique requires a machine to be used as a proxy server for the client. For this to work, the client has to install the proxy server’s certificate into the device global trust store. By doing this, the client whitelists the certificate and hence allows HTTPS communication with the proxy server.
Here’s an example of mitmproxy being used to inspect CNN iOS app. Prior to this, I have already installed the proxy server’s certificate on the device. Instructions can be found on mitmproxy website here
SSL Certificate Pinning
One way to protect your app against MITM is to use SSL certificate pinning. This involves having a copy of the trusted server’s certificate packaged into your iOS app and some additional code to ensure that the app only communicates with servers using that particular certificate. When SSL certificate pinning is active, the app will not allow any requests to be sent out to any untrusted server. Hence, MITM proxy servers will not be able to pick up the requests because the requests are…
