Carrying-Out SSL Pinning in iOS Apps

While scrolling through the most critical websites like online shopping or banking, we want to ensure that it is HTTPS and green padlock icons are present in the address bar. Now, this HTTPS and green padlock hold great significance when we need to secure the website. These essentially save it from unauthorized access, malicious intruder attacks, man-in-the-middle attacks using hacked or self-signed certificates.

Protocols: HTTP vs. HTTPS

HTTPS is the secure version of HTTP, a protocol used between a browser and a web server. It stands for HTTP over secure sockets layer (SSL). HTTPS means that all communications between your browser and web server are encrypted. Behind HTTPS, an SSL certificate plays a prominent role in building trust between a browser and a web server. SSL is a web server’s digital certificate issued by a third party. It verifies the identity of the web server and its public key.

Principle: How SSL pinning iOS works?

If you wish to communicate with a web server and want all your communications to be encrypted you’ll probably type https://www.yahoo.com and type enter.

• Your client browser requests secure webpages (HTTPS) from the Yahoo web server.
• Yahoo web server sends its public key with its SSL certificate, which contains a digital signature by a third-party or a certificate authority.
• Once your client browser gets the SSL certificate, it will check the issuer’s digital signature to ensure that the certificate is valid.
• The green padlock indicates that the web server’s public key belongs to the web server, not someone else. Now the verification is complete.
• Your browser creates one symmetric key or a shared secret. It keeps one and gives a copy to the webserver. But the browser does not intend to send the secret in plain text. Therefore, it uses the web server’s public key to encrypt the secret and then sends it to the webserver.
• When the webserver gets the encrypted symmetric key, it uses its private key to decrypt it. Now the webserver gets the browser’s shared key. The traffic between the client and the webserver will be encrypted and decrypted with the same key – a symmetric key. Here symmetric and asymmetric key algorithms work together.

Description: Why HTTPS and Green Padlock appear?

Asymmetric key algorithm (public key and private key) is used to identify the owner and its public key to build trust. Once connection establishes, an asymmetric key algorithm (shared key) is used to encrypt and decrypt all traffic between them.

Green padlock and HTTPS: only ensure that all the communications between client and server are encrypted. It does not say whether the website itself is “safe and good”; Anyone can launch a business and acquire an SSL certificate for their website.

Once the client has validated the certificate change, the “public key” extracts from the certificate. It is where SSL pinning comes into play. iOS App Developers The “key” that the client (browser) receives from the server is compared with the “key” pinned in the server.  The key should match. If the “keys” are not similar, it terminates the session.

Types of SSL Pinning: (1) Public key pinning (2) Certificate pinning (3) SPKI pinning

Certificate pinning involves pinning the entire certificate instead of pinning just the public key. So what happens when your certificate expires? You’ll have to update the client’s application with a new certificate or the certificate on the server is updated. For this reason, public key pinning is the preferred method of pinning, because if your certificate is properly renewed, the key won’t change, and you won’t have to update your app.

SPKI pinning is also known as subject public key information is the newest type of pinning. With this method, a hash or the public key and other metadata are pinned to the application. Applications that do not use SSL pinning are susceptible to man-in-the-middle attacks. It is when an attacker secretly relays and possibly alters messages. SSL pinning allows developers to add an extra layer of security in their applications and it’s easy to implement with libraries such as AF networking for iOS and ok HTTP for Android.

Why is SSL pinning required?

To enable an SSL certificate on iPhone or iPad, SSL is implemented on Email exchange servers that work on IMAP mail protocol. Attackers trick users into installing a malicious self-signed certificate on a mobile device. Intruders then execute a MITM attack on the website. When users get tricked into installing a malicious certificate, certificate pinning still prevents the interception of an app’s network traffic.

How to implement pinning?

Recommendation: We do not recommend pinning certificates from the file system as it extends the attack surface.  If you’re looking to pin a certificate, a public key or hash, you must be aware that these are embedded into the application and paired with strong tamper detection mechanisms. It is conducive to argue about pinning the TLS certificate without an effective jailbreak/root detection and other binary/runtime protections.

Root instruments the application and bypasses the pinning controls when the application runs on a jailbreak/rooted device.

SSL implementation: Primary way to implement SSL certificate pinning in iOS is by implementing the didReceiveAuthenticationChallenge method in the NSURLConnectionDelegate. didReceiveAuthenticationChallenge method is used for custom certificate checks. Certificate validation is performed throughout the chain by invoking SecTrustEvaluate in the delegate before the custom certificate checks.

How SSL pinning works: Applications/websites with SSL pinning are devised to reject some and accept some predefined certificates. The server checks the certificate with the pinned certificate as soon as the app connects. If the certificate on the server matches with the certificate pinned with the app, an SSL connection is established.

How to enable SSL pinning in iOS apps?

To turn on SSL trust for a certificate: Go to Settings > General > About > Certificate Trust Settings. Turn on “Trust for the Certificate” under “Enable full trust for root certificates”;

Tap Click existing email account name under the “Accounts” section. Click “Account Info” at the top of the screen. Click “advanced” and slide to turn it “off”; “Use SSL” tab to turn it on. Apple recommends deploying certificates via Apple Configurator or mobile device management (MDM).

Conclusive: Why should you hire an iOS app development company?

SSL or TLS handshake requires establishing a TLS connection between server and client. The server checks the certificate, which has information signed by a certificate authority. TLS client code or TLS library takes care of validation. SSL pinning is also called public key pinning. It ensures that the certificate appears in the chain. It acts as an additional security layer and prevents MITM attacks/sniffing data attacks.

Certificate pinning is hard coding in application code. Doing a hash or trusting the public key, trusting the certificate itself, can help. The root certificate can also be fake. Someone can inject bad roots, and force you to trust it. Hash the certificate and store it locally in the application so that if we establish the communication with the server, it is validated. But that is just one layer of validation. Another layer of validation is the pinning certificate in code. So if I write a code to check the certificate at the application level and compare it to the hash of the certificate itself that I have here, will it match? Sure thanks. It matches.

Both iOS and Android platforms come forth with a battalion of ways to implement certificate pinning. Using OpenSSL as a static library compiled with the app for all connections increases the complexity for an attacker who tries instrumenting the application and bypass the pinning controls. If you’re looking to enhancing the security at the web and mobile front end, hire iOS developers from us.