SSL Pinning

Episode #73 | 8 minutes | published on June 28, 2013
Subscribers Only
In this episode I show how you can self-sign a certificate in Charles to inspect and modify requests & responses to an API. Using a technique called SSL Pinning, we can prevent this type of man in the middle attack and make our applications more secure.

Episode Links

Setting up Charles to inspect SSL traffic

In Charles, open the Proxy menu, then select Proxy Settings. On the SSL tab you can add a self-signed certificate for your API host. You may need to allow your Mac or iPhone Simulator to trust this certificate chain, to do that follow this guide.

Once done, you should be able to inspect SSL traffic.

Setting a breakpoint in Charles

Under the Proxy menu, select Breakpoints. Add a response breakpoint for your hostname and Charles will pause before sending the response, allowing you to edit it.

Enabling SSL Pinning on AFNetworking

On an AFRequestOperation object, you can set the SSLPinningMode property to AFSSLPinningModePublicKey. This property is only compiled in if AFNetworking is built with _AFNETWORKING_PIN_SSL_CERTIFICATES_ defined. If you're using CocoaPods, this is already defined.

Add your certificate to the bundle

If you don't have your certificate, you can download it from the site using the link above. Note that this will be in PEM format (it will contain "BEGIN CERTIFICATE" / "END CERTIFICATE" lines). We'll need to convert this to DER format using the following command:

openssl x509 -in cert.crt -out cert.cer -outform der

We can now drag this certificate into Xcode.

Why Not AFSSLPinningModeCertificate?

If we use the certificate pinning mode, then we're tied to that exact certificate. When it expires, we'll have to provide a new update to the application with the updated cert. Alternatively, we could provide a mechanism for an app to download an updated SSL cert from the server, but this opens up an opportunity for a malicious person to intercept this and supply their own certificate.

blog comments powered by Disqus