Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you test certificate pinning with Alamofire?

So I followed Alamofire's instructions on the Read Me regarding their new Server Trust Policy. Got the certificate from the server, added it to my project and implemented the following code in my project:

let serverTrustPolicies: [String: ServerTrustPolicy] = [
        "someserver.withvalidcer.com": .PinCertificates(
            certificates: ServerTrustPolicy.certificatesInBundle(),
            validateCertificateChain: true,
            validateHost: true
        )
    ]

    let manager = Manager(
        configuration: NSURLSessionConfiguration.defaultSessionConfiguration(),
        serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
    )

My question is how do I test this?

I've tried changing my base api url to our test server, which has a different valid certificate, but the api calls are not being rejected. And I have verified that the code is running on the required api calls.

like image 561
Weeman360 Avatar asked Aug 04 '15 13:08

Weeman360


People also ask

How is certificate pinning done?

Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.

How do you protect against certificate pinning bypassing?

Protecting against certificate pinning bypass is done by implementing the Mobile App Attestation concept which allows the API server to detect with high confidence if what is making the request is a genuine mobile app instance or not. This approach will block attackers from accessing data they are not meant to have.

Is certificate pinning obsolete?

HTTP Public Key Pinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using misissued or otherwise fraudulent digital certificates.


1 Answers

Great question!

I would recommend trying to use some proxy software to try to get in the middle of the API calls (Charles Proxy, Burp, etc.). When pinning is enabled, all the network requests should fail since the proxy software will be serving you the incorrect certificate. Then, if you disable certificate pinning, the service calls should work properly going through the proxy.

Another way would be to temporarily change the certificate on the server and you should see the web services fail also.

like image 157
cnoon Avatar answered Oct 13 '22 00:10

cnoon