Infinum iOS Talks S01E02 - SSL pinning by Adis Mustedanagić
What is SSL?
• First, what happens when you make an SSL
• The client checks that the server’s certiﬁcate has
a veriﬁable chain to a root cert!
• The certiﬁcate matches the host name!
• It does NOT check if that is your certiﬁcate
What is SSL pinning?
• In a nutshell checking if the
server’s certiﬁcate is
exactly the certiﬁcate
you expect it to be!
• Additional layer of
security vs MITM
• Pin a certiﬁcate!
• Where you match a certiﬁcate to a certiﬁcate!
• The app needs to be updated every time you renew the
• Pin a public key!
• Where you match a public key!
• The app needs to be updated only if the renewed certiﬁcate
has a different key
• In iOS, using AFNetworking!
• What you’ll need!
• an iOS app,!
• a binary certiﬁcate to pin.
• How to recognise a binary vs base64 certiﬁcate?!
• It does not look like this:!
• Luckily, the above base64 can easily be converted
by running the following command:
openssl x509 -in base64.crt -outform der -out binary.cer
• Add the certiﬁcate to your apps resources bundle!
• Set your security policy to the pinning mode of your
• Don’t pin the root certiﬁcate or the entire bundle!
• Certiﬁcates need to be in the same project bundle
• If not, add them manually:
NSString *cert = [[NSBundle mainBundle] pathForResource:@"cert" ofType:@"cer"];
NSData *certData = [[NSData alloc] initWithContentsOfFile:cert];
policy.pinnedCertiﬁcates = @[certData, nil];