infinum ios talks s01e02 - ssl pinning by adis mustedanagić
DESCRIPTION
In high security enviroments SSL pinning is important as an additional security measure. This talk is going to cover SSL pinning on iOS using the AFNetworking.TRANSCRIPT
SSL pinning
What is SSL?• First, what happens when you make an SSL
connection?!
• The client checks that the server’s certificate has a verifiable chain to a root cert!
• The certificate matches the host name!
• It does NOT check if that is your certificate
What is SSL pinning?• In a nutshell -
checking if the server’s certificate is exactly the certificate you expect it to be!
• Additional layer of security vs MITM attacks!
Pinning possibilites• Pin a certificate!
• Where you match a certificate to a certificate!
• The app needs to be updated every time you renew the certificate!
• Pin a public key!
• Where you match a public key!
• The app needs to be updated only if the renewed certificate has a different key
Technical implementation• In iOS, using AFNetworking!
• What you’ll need!
• an iOS app,!
• AFNetworking,!
• a binary certificate to pin.
Technical implementation• How to recognise a binary vs base64 certificate?!
• It does not look like this:!
• Luckily, the above base64 can easily be converted by running the following command:
-----BEGIN CERTIFICATE----- 394230AFDFD4A9EFD... -----END CERTIFICATE-----
openssl x509 -in base64.crt -outform der -out binary.cer
Technical implementation• Add the certificate to your apps resources bundle!
• Set your security policy to the pinning mode of your choice:!
• [securityPolicy setSSLPinningMode:AFSSLPinningModeCertificate];!
• [securityPolicy setSSLPinningMode:AFSSLPinningModePublicKey];!
• Done!
Pitfalls• Don’t pin the root certificate or the entire bundle!
• Certificates need to be in the same project bundle as AFNetworking!
• If not, add them manually:NSString *cert = [[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"]; NSData *certData = [[NSData alloc] initWithContentsOfFile:cert]; !policy.pinnedCertificates = @[certData, nil];
Further reading• https://www.owasp.org/index.php/
Certificate_and_Public_Key_Pinning!
• http://nsscreencast.com/episodes/73-ssl-pinning!
• http://blog.lumberlabs.com/2012/04/why-app-developers-should-care-about.html
I know kung fu.