Advanced iOS : SSL Pinning in iOS Through URLSession

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today i'll introduce you ssl pinning and how quickly like you can just implement into the ios application right so ssl pinning is a two type concept like certified certificate pinning and public keypainting how it is working that i will explain you quickly so that it can reduce your time and you can learn more and more so they are like suppose if you have a server and this server is interacting with the client right and this is ios app so there into the local bundle you need to store one certificate and that certificate duplicate copy will be stored on your server side right so server guy will give you a certificate duplicate copy of certificate if those certificate will match that means uh the ssl pinning is work like but what what you need to understand like what is a secure socket layer uh thing so over there you need to understand like how it work first first right so you can just consider like you your server is there and this is a https server so https is already there and now you need to store one more thing like ssl pinning so how it is different so ssl pinning is saying like i will do a shake hand and i have a certificate that certificate will be the unique certificate and that will share with the client side as well and if those will match then i can just authenticate and just share the data right so sir you the client will request to the server server will response to the client with a certificate right and if this certificate is matching with this certificate right client certificate then only like i can proceed and i can get the data right from the client side and also client can send some data to the server as well right so at the both side like if certificate in each api call server will send you the certificate you need to cash that certificate and you need to expand that certificate and compare that certificate to your local certificate right that will be your ssl pinning secure socket layer and the http https like man in the middle attack can be possible because man in the middle attack what how it will have happen like one hacker will be there that can create the http same https request the same server environment and then then like client can be confused right because it is completely secure and everything is there and tunnel is there pipeline is there but like data is going but it is going in somewhere else right so to not not exact to your server so you need to stop this thing you are just spinning one more certificate is there this is unique and the if he will just replicate the certificate but data will not seem the public key will not seem then you can just save your things over there and that certificate only given by your server to you and that public key of what is the public key concept that also i will explain you so now i just want to quickly explain you the public key as well so like suppose you have two certificates like one is server side and another is the duplicate copy in your client side now it this certificate have one rsa public key which is 270 byte long so that key this will introduce as a public key or hash key that public key you need to make it in your client as a hard-coded so it will be a hard-coded string and this string you need to store into your ios device and over there like from where you will get you will get it from your server side from server person so he will say hey just set this public key hard coded in your system in your client side and just whatever certificate will come on each api that you need to catch you need to extract the key and that key you need to compare with this public key so if those will match then you can just proceed and just acknowledge the data and can share the data at both sides like server side or client side whatever you want so that will be pretty secure now i just want to give you one more brief introduction like why you need to use public key rather than you know the certificate key certificate pinning right so public key pinning is good why because suppose you have a certificate server have one certificate and with this certificate is uh at the client side as well but this certificate is expired so after six months or seven months it's expired now if you are comparing with the certificate you need to give uni server guy will give you one new certificate which is which will uh load to the server also it will load to the local so it will it will tell you like you need to force update your app to the to your users so like version 1.0 will be there then it will come 1.0.1 so it's saying you like update the update your app because your certificate ssl pinning is updated because your certificate was expired so it is a pretty bad practice rather than public key what it will do the first certificate which was expired the public key whatever public key was there that same public key will introduce into the new certificate so server guy will tell you like hey client side people you don't need to work over there just whatever public key is there that is more than sufficient i'm just uploading my certificates but like public key will be always remain same you need to extract the certificate again and just compare the public key and it will work over there for you so you will avoid the force update as well so that's why you need to use public key pinning ssl public key painting rather than certificate pinning right so that is the whole history now i'm proceeding further for development so you can just quickly inject this public key into your xcode project as well so i'm just giving you one example if you will focus there it will be quickly done by you so ssl pinning example is there i'm just creating on the desktop so quickly i'll create uh one class here that class will be a ssl painting manager pinning manager class and in this ssl painting manager class i am just creating two or three things ssn pinning manager class and this class is a static it's holding a static led shared object let's share the object and that the shared object will be uh ssl pinning manager and after then you can just create two things is certificate pinning or let's say [Music] let's say public key painting now you need to compare a hard-coded hard-coded public key which you need to if you are comparing the public key then you need to hard public key hard coded public key is required from the server side i don't know the public key itself but like yes we need to make this now now what you need to do you need to introduce it with ns object to url session delegate feature because one function is there and that function is related to where you will catch where you will catch where you will catch uh where you will catch this certificate right so from the server side once the certificate will come on each api you need to catch this right so this delegate function if you will register this delegate function here you can just cash that certificate right so that name is challenge and did challenge authentication server this will give you that facility and you need to extract your certificate right certificate from each api right now what you need to call one two functions are there you can just call one more [Music] function [Music] that's all right so that call api is ready now now you need to accept certificate with two conditions if is self dot is certificate pinning is there is certificate is certificate pinning is there then you can just compare certificates local remote and local rest you can just compare keys right compare keys so there are there are some things like it that will help you so two functions already i taken care one is rsa2048 as an header and ssj256 which will uh convert the hash key so i'm just making those functions here so this is the function which will convert and just get your key before going further like i i want a certificate as well right and also it is saying like i don't have some fun some modules so i need to import those modules those will be covered as a import security module and one is import your common crypto module so after then those things will vanish so these functions will help you out to encrypt the key i want to proceed and just can just show you the demo like i have a google uh url so www.google.com if i will focus over there one lock keyword is there if you will see one certificate is there so in this case zero one and two uh third like root certificate root certificate authority this one this one i want otherwise like it will go with the gta cs101 i want this root certificate so i went there i'm just dragging it out here in my desktop so if you will just drag it here it will come here right globe sign certificate that i'll store into my into my project and this will will come here and then i can just compare this certificate because it is already there it is already there on this www www.google.com it is pretty secure uh over the https right over the https as i explained so i will just use this url only once i'll call this api so i want to go to our to our ssl painting manager and in this manager class i'm just going to introduce like i just want to match first comparison certificate quickly so i'm just comparing uh the certificate first so if you will go and check it out like how you can just compare so there are some uh predefined functions uh uh already available into this uh security uh checkpoint uh security module so i need to do some code over there for comparison so i will do that thing certificate and that will be your [Music] uh [Music] [Music] [Music] like we introduced uh some functions over there into the ssl painting manager url session and call any api and two helper functions rs rsa2048 sn1 header asn 1 header and assisted 256 and hard coded public key so everything is ready now like we can fire our both cases and we can just compare those things uh so if you will see that the copied global sign certificate is here and the url which we taken from the google.com and the one server is from the server side this is secured server and now i'm just calling what this api and whether the things will come properly or not uh we'll see it uh in this example so if you will go and just call this api like ssl training manager dot share and dot call api any api and with the url which url this one is the url and you can just call this url like this and true first we are just checking the certificate we are comparing the certificate what will be the response response will in front of you and we can just print this response here right so like that you can just spin your things and just i'm running this i'm just making the breakpoints also so if you will see uh into the pinning manager itself i made some break points and here also i made some breakpoints so i want to compare the things properly in front of you here it will run the app and then i just want to see so my url is i got the url and this is the url and after this task like it will go and just hit this delegate function so if it will it should come here into this url session delegate function whether it is coming or not that i need to check uh it should come but i don't know why it did not came maybe uh this url i whatever i supposed to pass here it's not perfect yeah it is perfect i need to check it again task started the execution and then it is stopped right so somewhere i'm just getting some error ah yeah so i forgot to resume the task i'm sorry for this resume the task so now it will work so once you will hit this it will resume it will call this the challenge function over there it will get the server trust and my certificate pinning will compare one by one this is a certificate pinning policy so i need to call it again and it will not get any error and the certificate pinning will be successful okay so this ssl pinning is successfully done and if you want to change it with your public key then you can just make it false which will be the better option again rerun this you'll get the same thing you will compare the public key rather than this on each api the delegate function will call rather than certificate i will just check it out what public key is coming so if you will see the public key is the data is coming like 2048 bits and this is the whole history of this data and after then the data will come like this this will be a 270 byte data and then 270 byte data will convert with the ssj256 and there it will help this array of hexadecimal values will help out which is a header static value header and then it will convert a server hash key that server hash key is this one right so this is the hash key which is google is using for ca root uh certificate now this year root certificate i need to compare here uh with you know with with hard-coded values because i did not give hard-coded values still so i need to give this hardcoded value otherwise it will cancel and it will pinning will be failed so pinning will be failed for being now now in the next time if you will call so pinning is failed because connection we deliberately went and just cancelled this authentication due to the comparison of the keys so now public key will match because our hard-coded value is also matching and if you will compare this again it's matching everything and if you will see the ssl pinning successful with public key will call right so this is calling that's all hope you can just inject this function or ssl pinning manager and only you need to simple simply you need to register to delegate and you need to change this url session object and you can compare this function with the certificate or with the public key and you can get this complete information and quickly you can implement this ssl painting in your ios project using url session default uh apple's api and if you want this whole source code then you can just proceed with my github account and then you can just download this thank you thank you so much for watching this hey

Info

Channel: iOSCoderAbhimanyuDaspan

Views: 4,835

Rating: undefined out of 5

Keywords: #SSLPinningUsingURLSession, #SSLPinningiOS, #SSLPinningIniOS, #SSLCertificatePinning, #SSLPublicKeyPinning, #SSLPinningSwift, #SSLPinning, #SSL, #SSLiOS, #SSLPinningWithiOS, #Apple, #swift, #iOS, #xcode

Id: kNHZDzQOii4

Channel Id: undefined

Length: 19min 58sec (1198 seconds)

Published: Tue Feb 09 2021