Make your iPhone App more secure with SSL Pinning

What is SSL pinning?

An HTTPS connection has a valid certificate and a cipher suite. The certificate is presented to server presents during handshaking. It is the essential component that serves as proof of the identity of the server. The client will trust the server if it provides a valid certificate signed by one of the trusted Certificate Authorities. Otherwise, aborts the connection.

An attacker can either install a malicious root CA certificate to user devices. So, the client will trust all certificates signed by the attacker, or even worse, compromised a CA completely. Therefore, trusting on the certificates received from servers alone cannot guarantee the authenticity of the server. Your server is vulnerable to a potential man-in-the-middle attack.Secure Socket Layer Pinning is a technique used in the client-side to avoid a man-in-the-middle attack. This technique validates the server certificates even after SSL handshaking and pins a list of trustful certificates to the client during development. They, then use them to compare against the server certificates during runtime. The connection disrupts if there is a mismatch between the server and the local copy of certificates. This ensures that no further user data goes to that server. In short, SSL pinning ensures the user devices are communicating only to the dedicated trustful servers.

Developers must take extra caution in SSL Pinning. When a pinned certificate expires, the server gets a new certificate. The new certificate is different from the pinned certificate. So, the clients will not trust the updated certificate and therefore terminate the connection. Communication established between clients and servers is basically ‘bricked’. Therefore, to avoid such a situation,  always pin the future certificates in the client applications before release.

There are two ways to achieve SSL Pinning in client applications.  You can either pin the whole certificate or its hashed public key. The hashed public key pinning is the preferred approach that uses the same private key for signing the updated certificate. This approach can save the trouble of pinning a new hashed public key for a new certificate, and reduce the risk of app ‘bricking’.

How to make your iOS Apps more secure using SSL pinning?

SSL pinning comes into the picture as one of the best app security options while looking for ios game application development services. A system library does the task of maintaining the SSL session. The app trying to establish connection does not determine which certificate to trust and which not to.The SSL encryption happens based on Public Key Infrastructure and a session key. Encrypting and decrypting public uses a lot of energy and slows down the communication process. That is when the session key came into play. Asymmetric session key exchanged with the SSL handshake reduces the risk of asymmetrically encrypting data at the source and decrypting it at the destination.The certificate’s chain of trust determines the security aspect of SSL. The client checks the server’s SSL certificate as the communication process starts. The client will check if the received certificate is an issue by the Trusted Root CA store or other user-trusted certificates.

Although SSL is pretty much unbreakable, there is still an actual threat of the man-in-the-middle attack. This can happen with ARP poisoning and DNS spoofing. With ARP cache poisoning, an attack is possible depending on the Address Resolution Protocol. Address Resolution is responsible for mapping the IP address to the devices MAC address. For example, consider a network containing a common user’s device A, the attacker’s device B and router C.Device B sends the ARP reply packet to the device A acting as router C. Then, A sends another ARP reply to C identifying as device B and completes the attack.DNS spoofing is an attack technique that corrupts the name server’s domain name mapping. Here, the attacker forces the DNS to return an incorrect IP address and divert the traffic to theirs.

There are different ways through which you can implement SSL Pinning in iPhone game development services. You can secure your iOS with SSL pinning using NSURLSession, AlamoFire and AFNetworking. NSURLSession SSL pinning is a bit tricky. Here, there is no option to cancel all responses that do not match with the certificate automatically. To implement SSL pinning on NSURLSession, we need to do perform all checks manually.

Alamofire SSL pinning is simple. The ServeTrustPolicy.certificates Bundle method in AlamoFire returns all certificates in the bundle. First, we load the certificates in the created ServerTrustPolicy object. Then the object is instantiated with a dictionary to map the domain name to the ServerTrustPolicy. We are only pinning the predefined domain in AlamoFire.

SSL pinning in AFNetworking is straightforward. You have to assign an AFSecurityPolicy policy object to the AFHTTPRequestOperationManager. It will scan through your bundle by default.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.