Im a newb here but I have an app that is subject to MITM attacks.
After I bit of research it sounds like I need to do SSL Pining, i.e keep a copy of my servers public key/certificate so the can determine if the response came from it.
I have no idea how to do this, I am using AlamoFire in Swift to handle the networking.
Alamofire now implemented the certificate pinning. The documentation you need is in the Readme.md
https://github.com/Alamofire/Alamofire
See their example implementation:
let serverTrustPolicies: [String: ServerTrustPolicy] = [
"test.example.com": .PinCertificates(
certificates: ServerTrustPolicy.certificatesInBundle(),
validateCertificateChain: true,
validateHost: true
),
"insecure.expired-apis.com": .DisableEvaluation
]
let manager = Manager(
serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)
Alamofire 5.0 is now released. And ssl pinnig is changed. Look at the below code snipped.
let configuration = URLSessionConfiguration.default
configuration.timeoutIntervalForRequest = timeoutIntervalForRequest
let trustManager = ServerTrustManager(evaluators: [
"prod.ehliyetcepte.com": PublicKeysTrustEvaluator(),
"dev.ehliyetcepte.com": DisabledEvaluator()])
self.session = Session(startRequestsImmediately: true,
configuration: configuration,
delegate: self,
serverTrustManager: trustManager)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With