Your SlideShare is downloading. ×
Infinum iOS Talks S01E02 - SSL pinning by Adis Mustedanagić
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Infinum iOS Talks S01E02 - SSL pinning by Adis Mustedanagić

464
views

Published on

In high security enviroments SSL pinning is important as an additional security measure. This talk is going to cover SSL pinning on iOS using the AFNetworking.

In high security enviroments SSL pinning is important as an additional security measure. This talk is going to cover SSL pinning on iOS using the AFNetworking.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
464
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SSL pinning
  • 2. What is SSL? • First, what happens when you make an SSL connection?! • The client checks that the server’s certificate has a verifiable chain to a root cert! • The certificate matches the host name! • It does NOT check if that is your certificate
  • 3. What is SSL pinning? • In a nutshell checking if the server’s certificate is exactly the certificate you expect it to be! • Additional layer of security vs MITM attacks!
  • 4. Pinning possibilites • Pin a certificate! • Where you match a certificate to a certificate! • The app needs to be updated every time you renew the certificate! • Pin a public key! • Where you match a public key! • The app needs to be updated only if the renewed certificate has a different key
  • 5. Technical implementation • In iOS, using AFNetworking! • What you’ll need! • an iOS app,! • AFNetworking,! • a binary certificate to pin.
  • 6. Technical implementation • How to recognise a binary vs base64 certificate?! • It does not look like this:! -----BEGIN CERTIFICATE----394230AFDFD4A9EFD... -----END CERTIFICATE----- • Luckily, the above base64 can easily be converted by running the following command: openssl x509 -in base64.crt -outform der -out binary.cer
  • 7. Technical implementation • Add the certificate to your apps resources bundle! • Set your security policy to the pinning mode of your choice:! • [securityPolicy setSSLPinningMode:AFSSLPinningModeCertificate];! • [securityPolicy setSSLPinningMode:AFSSLPinningModePublicKey];! • Done!
  • 8. Pitfalls • Don’t pin the root certificate or the entire bundle! • Certificates need to be in the same project bundle as AFNetworking! • If not, add them manually: NSString *cert = [[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"]; NSData *certData = [[NSData alloc] initWithContentsOfFile:cert]; ! policy.pinnedCertificates = @[certData, nil];
  • 9. Further reading • https://www.owasp.org/index.php/ Certificate_and_Public_Key_Pinning! • http://nsscreencast.com/episodes/73-ssl-pinning! • http://blog.lumberlabs.com/2012/04/why-appdevelopers-should-care-about.html
  • 10. I know kung fu.