Dynamic certificate pinning

Asked 14/9, 2016 at 19:56 Answered 26/9, 2019 at 16:33

I have an iOS application that will be distributed to multiple customers, each using their own network infrastructure. I would like to add some certificate pinning capabilities, but I need to do it in a dynamic fashion since I cannot ship the app with the cert/pubkey bundled, as doing so would require a different build for each customer.

My idea is to query the per-client configured HTTPS server on app startup, get the certificate, potentially extract the public key and then pin it.

Is it possible to do this in Swift or Objective-C? I have not been able to find relevant code samples or documentation.

Templet answered 14/9, 2016 at 19:56 Comment(4)

Have you tried SSLPinningMode? this might help. If you're planning on distributing this on the app store I doubt it'd get accepted (the part about downloading and extracting certificates). – Equate 16/9, 2016 at 21:4

Here's an example out of iOS Pushing the Limits: github.com/iosptl/ios7ptl/blob/master/ch14-Security/Connection/…. Look at RNSecTrustEvaluateAsX509. It includes the code to extract the certificate from the connection. You can then write the certificate out to a file, and later use standard pinning practices like github.com/rnapier/RNPinnedCertValidator. – Tailspin 20/9, 2016 at 17:26

Unrelated meta cruft, but @RobNapier are you planning on releasing a new version of Pushing the Limits for iOS 10? – Gorgoneion 23/9, 2016 at 18:54

@Gorgoneion no. I can't imagine that title continuing in the current market. Too hard to make that work with a traditional publisher, and too few people buy them for the overhead. Might get involved with one of the smaller publishers, but it would be a different kind of book. Thanks for asking. – Tailspin 23/9, 2016 at 19:11

Operationally, it will be a lot easier to manage and recover from misconfigurations if you embed the certificates or keys in the App. If you just pin whatever certificate the server sent to the App the first time, you have no mechanism to support a new certificate once the current one expires or gets rotated. If that's still what you would like to do, I would recommend looking at the HPKP specification, which implements the same mechanism but for browsers: https://www.rfc-editor.org/rfc/rfc7469

Also, if the App servers are not directly under your control, there is a high change that pinning will end up bricking the App, if the server's certificate unexpectedly changes. Will the team building the App be informed about infrastructure/certificate changes on the App/customer servers, so they can release an update just in time? If not, you should not do it.

Rheumatic answered 20/9, 2016 at 17:16 Comment(1)

I just upvoted this answer. I realise this isn't exactly what the poster is asking, but this answer is very useful and points out the dangers of doing what the poster suggests and gives additional information. As per the help section, this post is 'is interesting, well-researched, and useful'. – Alveolate 26/10, 2016 at 7:26

Its possible. I haven't tried myself, but I think you are looking for something like this.

https://github.com/wultra/ssl-pinning-ios

Nitrogenous answered 26/9, 2019 at 16:33 Comment(0)

Recommended topics

Hot tags