Any data between the device and the server is over the network level. The following screen capture provides the high-level mind map for network-level protection:
Certificate pinning is process of associating a host with expected X509 certificate or public key; once exposed, this certificate will be pinned to a device. We also did the Tweaks on how to bypass these techniques in Chapter 7, Full Steam Ahead – Attacking iOS Applications in the section Beating the SSL certificate pinning. Certificate pinning is the only solution to prevent MitM attacks.
In iOS, cert pinning is done through NSURLConnectionDelegate
. This delegate should implement the following:
connection:canAuthenticateAgainstProtectionSpace connection:didReceiveAuthenticationChallenge
And within connection:didReceiveAuthenticationChallenge
, the delegate should call secTrustEvaluate
to perform the traditional checks.
In Android, this technique can be done by the custom X509TrustManager
class, which...