Link Search Menu Expand Document
×
Topics

Insufficient Transport Layer Security in iOS

Play SecureFlag Play iOS Labs on this vulnerability with SecureFlag!

Implementation

Apple handles its main support of identity pinning through its Plist files, allowing a SHA256-BASE64 string to be stored, representing the certificate. This method creates a situation where pinning works throughout the app with any preexisting requests, resulting in no code changes being needed. More can be read here

However, this was not always possible; therefore, multiple code solutions exist to implement the same pinning. Both Alamofire and TrustKit have methods to implement SSL pinning if you use those frameworks. A swift-only solution will look something like this:

func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Swift.Void) {
if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) {
    if let serverTrust = challenge.protectionSpace.serverTrust {
        let isServerTrusted = SecTrustEvaluateWithError(serverTrust, nil)

        if(isServerTrusted) {
            if let serverCertificate = SecTrustCopyCertificateChain(serverTrust) as? [SecCertificate] {
                let cert1 = SecCertificateCopyData(serverCertificate.first!) as NSData

                if let file = Bundle.main.path(forResource: "vulnerableapp", ofType: "der") {
                    if let cert2 = NSData(contentsOfFile: file) {
                        if cert2.isEqual(to: cert1 as Data) {
                            print("SSL Pinning Complete!")
                            completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust:serverTrust))
                            return
                        } ...

This implementation can then be called on a per-request basis which can result in it being unimplemented. To enable the pinning for each request, add a call to the class above:

let session = URLSession(
            configuration: URLSessionConfiguration.ephemeral,
            delegate: NSURLSessionPinningDelegate(),
            delegateQueue: nil)

As with all SSL pinning, Apple warns that more than one certificate should be added and care taken not to allow them all to expire. On mobile, the time taken to get an app through the verification process could result in unplanned downtime if not correctly managed.

References

OWASP - Certificate Pinning