SSL pinning
What is SSL?
• First, what happens when you make an SSL
connection?!
• The client checks that the server’s certificate has
...
What is SSL pinning?
• In a nutshell checking if the
server’s certificate is
exactly the certificate
you expect it to be!
• ...
Pinning possibilites
• Pin a certificate!
• Where you match a certificate to a certificate!
• The app needs to be updated eve...
Technical implementation
• In iOS, using AFNetworking!
• What you’ll need!
• an iOS app,!
• AFNetworking,!
• a binary cert...
Technical implementation
• How to recognise a binary vs base64 certificate?!
• It does not look like this:!

-----BEGIN CER...
Technical implementation
• Add the certificate to your apps resources bundle!
• Set your security policy to the pinning mod...
Pitfalls
• Don’t pin the root certificate or the entire bundle!
• Certificates need to be in the same project bundle
as AFNe...
Further reading
• https://www.owasp.org/index.php/
Certificate_and_Public_Key_Pinning!
• http://nsscreencast.com/episodes/7...
I know kung fu.
Upcoming SlideShare
Loading in...5
×

Infinum iOS Talks S01E02 - SSL pinning by Adis Mustedanagić

614

Published on

In high security enviroments SSL pinning is important as an additional security measure. This talk is going to cover SSL pinning on iOS using the AFNetworking.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
614
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Infinum iOS Talks S01E02 - SSL pinning by Adis Mustedanagić

  1. 1. SSL pinning
  2. 2. What is SSL? • First, what happens when you make an SSL connection?! • The client checks that the server’s certificate has a verifiable chain to a root cert! • The certificate matches the host name! • It does NOT check if that is your certificate
  3. 3. What is SSL pinning? • In a nutshell checking if the server’s certificate is exactly the certificate you expect it to be! • Additional layer of security vs MITM attacks!
  4. 4. Pinning possibilites • Pin a certificate! • Where you match a certificate to a certificate! • The app needs to be updated every time you renew the certificate! • Pin a public key! • Where you match a public key! • The app needs to be updated only if the renewed certificate has a different key
  5. 5. Technical implementation • In iOS, using AFNetworking! • What you’ll need! • an iOS app,! • AFNetworking,! • a binary certificate to pin.
  6. 6. Technical implementation • How to recognise a binary vs base64 certificate?! • It does not look like this:! -----BEGIN CERTIFICATE----394230AFDFD4A9EFD... -----END CERTIFICATE----- • Luckily, the above base64 can easily be converted by running the following command: openssl x509 -in base64.crt -outform der -out binary.cer
  7. 7. Technical implementation • Add the certificate to your apps resources bundle! • Set your security policy to the pinning mode of your choice:! • [securityPolicy setSSLPinningMode:AFSSLPinningModeCertificate];! • [securityPolicy setSSLPinningMode:AFSSLPinningModePublicKey];! • Done!
  8. 8. Pitfalls • Don’t pin the root certificate or the entire bundle! • Certificates need to be in the same project bundle as AFNetworking! • If not, add them manually: NSString *cert = [[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"]; NSData *certData = [[NSData alloc] initWithContentsOfFile:cert]; ! policy.pinnedCertificates = @[certData, nil];
  9. 9. Further reading • https://www.owasp.org/index.php/ Certificate_and_Public_Key_Pinning! • http://nsscreencast.com/episodes/73-ssl-pinning! • http://blog.lumberlabs.com/2012/04/why-appdevelopers-should-care-about.html
  10. 10. I know kung fu.
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×