Securing iOS Applications with SSL Pinning
What is SSL?
Secure Sockets Layer (SSL) is cryptographic protocol designed to provide communications security over a computer network. Several versions of the protocols are widely used in applications such as email, instant messaging, and voice over IP, but its use as the Security layer in HTTPS remains the most publicly visible.
What is SSL Pinning?
Secure Socket Layer (SSL) Pinning is the process of associating a host with its certificate or public key.
Why Should I Use SSL Pinning?
Using Secure Socket Layer (SSL) Pinning allows you to protect your apps against the many types of Man-in-the-middle (MITM) attacks and interception of its network traffic.
What types of SSL pinning methods are there?
- Embedding the Certificate: You can extract the server’s certificate and embed into your app bundle. The network layer compares the server’s certificate with embedded certificate.
- Embedding the Public Key: You can extract the certificate’s public key and define into your code or place into the app bundle. The network layer compares the servers certificates’ public key with embedded one.
What’s Difference Using The Root, Leaf and Intermediate Certificates In Pinning?
Leaf Certificate: If the certificate becomes invalid because of expiration or a compromising, the application will be broken until you update SSL certificate.
Intermediate Certificate: As long as your certificate provider is the same, any changes to the leaf certificate will not require an update in your application.
Root Certificate: The root certificate comes from the trusted certificate authority. Pinning the root certificate puts trust in the root cert authority, as well as all intermediaries that the root cert authority trusts.
Note: The all mentioned types can be pinned on your application. But, only pinning the root certificate puts your application in the risk because of its scope.
How should you embed the Certificate into App Bundle?
First, the certificate file must be encoded before the embed into the app bundle. You can ensure whether the file is encoded by opening your certificate file with a text editor. If you see similar content like Base64 output, it means the content of the certificate must be encoded.
- You can encode the certificate with proper format by importing the existing certificate file into the keychain and extracting back. The given output will be encoded as default.
- If you do not have any certificate file to the embed into app bundle. You can retrieve the certificate with ready to use format by running the command below.
openssl s_client -connect <hostname>:443 </dev/null \
| openssl x509 -outform DER -out <certificatename>.derIs it possible to pin the certificate without embedding into the App Bundle?
The extracting the bundle files from the IPA is quite easy. If you have concerns to put the certificate into there, you may avoid this.
- You can place the Base64 format of the certificate into your codebase and convert into the
SecCertificateduring the runtime. The Base64 format of the certificate can be obtained by running the following command below.
base64 <certificatename>.derHow to implement the SSL Pinning on iOS?
There are two common approach in that matter.
- If you use
Alamofirewhich is the most popular network library in iOS, that allows you to pin the certificate or public keys by using the provided default trust evaluators with ease. (PinnedCertificatesTrustEvaluator&PublicKeysTrustEvaluator)
PinnedCertificatesTrustEvaluator expects certificates as parameter to initialize the evaluator. It is provided by Alamofire as default. If you want to specify by yourself, you may override the provided default value with your own SecCertificate array.
All you need is to set up the Session instance by using a ServerTrustManager with provided trust evaluators.
You can figure out the full details about the trust evaluators on the Alamofire documentation.
- You can use the Apple API’s to pin the certificate or public keys through the
URLSession.
As you know, Apple is providing the URLSession which enables us to perform network tasks. To achieve the same outcome via Apple API’s, you should initiate an URLSession instance with proper configuration and manage the SSL handshake process through the URLSessionDelegate.
Furthermore, the host validation mechanism can be added by accessing through the challenge.protectionSpace.host in the same block to enhance the security too. You may pin the several certificates and map these certificates with any host.
