Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do you test certificate pinning with Alamofire?

Tags:

ios

swift

alamofire

So I followed Alamofire's instructions on the Read Me regarding their new Server Trust Policy. Got the certificate from the server, added it to my project and implemented the following code in my project:

let serverTrustPolicies: [String: ServerTrustPolicy] = [
        "someserver.withvalidcer.com": .PinCertificates(
            certificates: ServerTrustPolicy.certificatesInBundle(),
            validateCertificateChain: true,
            validateHost: true
        )
    ]

    let manager = Manager(
        configuration: NSURLSessionConfiguration.defaultSessionConfiguration(),
        serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
    )

My question is how do I test this?

I've tried changing my base api url to our test server, which has a different valid certificate, but the api calls are not being rejected. And I have verified that the code is running on the required api calls.

like image 561
Weeman360 Avatar asked Aug 04 '15 13:08

Weeman360

People also ask

How is certificate pinning done?

Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.

How do you protect against certificate pinning bypassing?

Protecting against certificate pinning bypass is done by implementing the Mobile App Attestation concept which allows the API server to detect with high confidence if what is making the request is a genuine mobile app instance or not. This approach will block attackers from accessing data they are not meant to have.

Is certificate pinning obsolete?

HTTP Public Key Pinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using misissued or otherwise fraudulent digital certificates.

1 Answers

Great question!

I would recommend trying to use some proxy software to try to get in the middle of the API calls (Charles Proxy, Burp, etc.). When pinning is enabled, all the network requests should fail since the proxy software will be serving you the incorrect certificate. Then, if you disable certificate pinning, the service calls should work properly going through the proxy.

Another way would be to temporarily change the certificate on the server and you should see the web services fail also.

like image 157
cnoon Avatar answered Oct 13 '22 00:10

cnoon
Sign in to Comment

Related questions

Xcode is not showing my buttons, labels, textfields, and views
UIImageView animation based on volume level feedback
UICollectionView with Custom Layout Going Blank
Assembler on 64-bit iOS (A64)
Google Analytics doesn't work in iOS
Is it possible to introspect the array's type in Objective-C Generics -- Xcode 7+
Unable to set "Team" to "None" in Xcode
How to trim the video file and convert to 20 seconds video with Swift?
Switch error: Expected member name or constructor call - what's wrong?
requestImageDataForAsset returns nil image data
Multiple storyboards in Swift
UIToolBar is Transparent
Why is my UITableview Y origin changing based upon the position in TabBarController
Using AVCaptureSession and Audio Units Together Causes Problems for AVAssetWriterInput
Present modal view controller in half size
iOS 8.4 MPNowPlayingInfoCenter skip/prev disappeared
How to import css file in UIWebView when I am using loadHTMLString() method in swift (iOS)
Remove -Objc flag from Cocoapods install
iOS universal framework with iphoneos and iphonesimulator architectures
ubiquityIdentityToken vs. CKContainer accountStatusWithCompletionHandler

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!