Man in The Middle Attack and SSLPinning | Ethical Hacking | Charles | iOS | Swift | Xcode

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys welcome to my channel icode i am pallav and today we are going to discuss about the security aspects of your ios application this video is going to be really interesting because we are not just going to cover the theory but we will see everything in action we will first see that how easily can attackers intercept your web service calls then we'll take it a level ahead and we'll see that even if you are using https and considering the the communication the interaction with your server as secure it is a myth will perform men in the middle attack using the proxy like charles and we'll see that how the attack can be performed and how can the https calls can be intercept too after that we will look at a way to prevent the man in the metal attack that is ssl pinning so we'll understand ssl pinning in detail a to z we will understand what is ssl certificate how does it look from where we can generate it and how can we pin it to our application so that that can be prevented we'll understand it in detail and then we'll implement ssl pinning in swift without using any third party libraries so this video is going to be really interesting we are going to intercept the web service calls we are going to perform the mitm attack we will see how to prevent it we will see how to implement ssl pinning so let's get started so let's see that how the web service calls that are being made by your ios application how they can be intercepted and for that i am having this application here which shows a list of flights from bombay to london and on tap of a card it will show the details now the backend for this application has been written in swift i am running it on my local host so here if i change it to flights i get the data so all these data is coming from my local server and i have written it in swift if you want to learn that how you can write the back and the server side programming swift here's the link and as far as the client app is considered i am using combine and swift ui for it so if you want to learn about combine here's the link now let's get on to the point and see that how can we intercept these calls so for that i am having a tool called charles now charles is a web proxy that is used for investigating the web service calls it is used for a very ethical purpose to investigate that how the web service calls are being made from your application to investigate the headers to investigate the body and i would encourage you to use it for the same and now let's see that how the calls are actually intercepted so what we are going to do is that we are going to set up a proxy on the device on which my application is running and this is how you can do that so you need to go into the settings and select the wi-fi that you are using tap on the wi-fi and the bottom you will find an option for configuring the proxy you go there and select the manual now you need to enter the address the local address the local ip of the machine on which you are running charles and you can very easily get it from the charts itself so go here on the help and the local ip address here you will find the ip address and i'll just enter it here that is 192 dot 168 dot 1.138 and in the port you need to enter eight eight eight eight that is four times eight that is the by default port for the charles though we can change it but we don't want to so let's keep it like this and let's hit save now we have configured the proxy for using the charles and now i'll use the application i should be able to see the the web service calls and the data that is coming so let's just try it i'll tap on my application and here you can see that here's the call that that has been made and if i open it i'll see more details so the the call is being made for the end point that is flights and if i go to contents and here in the headers i can see that what are the headers that are being passed the response that has been received so entire json response is here you can see the entire tls structure that what is the protocol being used what is the remote address what is the service address headers request response body and everything else so this is how you can intercept the web service calls and if i tap on a card and if i make another call that will also be tracked here so i made another call for detail and if you see in detail i am getting the detail for this flight and the and this is the id1001 is the id so i know it because i wrote the back end but even if you don't know you will get all the details here in the charts so you can further investigate that what is the data that is being received and what is the request that is being made you can examine it and you can look into the bugs whatever you want to so this shows that this application is not very secure in less than two minutes entire calls have been intercepted and all the data that is being communicated that is being transferred from my server to my client or from a client to my server that is being read by a third party and that is obviously not what i want or not any organization want so here comes the role of security now this was really easy because my server was not having ssl certificate now what does it mean we will have a look at it in detail but what i mean to say is that the calls were being made over http and not https will understand the difference but i just want to make it clear at this point in time that it was really easy because it was not over a secure network and the interception and the tracking of the calls was really easy now we'll introduce more complexity in this and we'll make the web service calls over https a secure network and then we will see that whether charles is able to read that data or to intercept that api call or not and if yes then what can we do for it so let's go for it for using https i am using this url from mocki.io we generally use walkie for the mock responses and i am using it for the same year so i am using this url and this is the response that i'm getting from this url testing charles ssl port 443 status 200 and message success and you can see that it is https that is the request is being made over a secure network so let's try it and let's see that what happens and i would like to remind you that charles is still connected so i am still having a proxy configured and now i try running it and i'll see that whether i'm getting the response or not so in the application there there's nothing there's just a view controller and from the viewed load i am calling this method that is called web service to test ssl and here i am just having this web service call using the data task and printing the response that's it nothing much so let's see that what gets printed in the logs and i can see here that an error has has occurred that is an ssl error has occurred and a secure connection to the server cannot be made and it it identified that charles proxy is using i mean charles proxy is in place somewhere so that is why the the secure communication has not been established and the web service call that i made that has failed so this is because the the communication is happening over https now it appears very secure that because the proxy was in place proxy was somewhere in in between the network so the call failed and it is very secure that communication between server and my client is not happening now let's look at a way to bypass this to test it whether the security is actually working or not whether the security is actually in place and our application is actually secure or not so what we'll be doing is that we'll be performing man in the middle attack i'll explain you that what is the man in the middle attack and how it is performed and will actually perform it but before that i would like you to see a video it is about asymmetric cryptography now i explained asymmetric cryptography in the video of provisioning profile if you haven't seen the provisioning profile video here's the link you can have a look there i have explained that what is the difference between provisioning profile and certificates and all those but for the asymmetric cryptography part please have a look at this 40 second video and then it will be really easy for us to proceed with the men in the middle attack and how to prevent it sam and jon are two friends and they decide to encrypt their chat to do so they came with the concept of public and private key both of them made a pair of keys that is public and private key sam gave his public key to jon and john gave his public key to sam now when sam needs to send a message to jon he encrypts the message using john's public key when jon will receive the encrypted message he will decrypt it using his private key same will be done by jon he will decrypt the message using sam's public key and when sam will receive it he will decrypt it using his private key this concept is called a symmetric cryptography now that you have an understanding of public key and private key and how asymmetric cryptography works we can understand ssl and how it works so ssl basically stands for secure socket layer and it is used for secure communication between server and client so this is how it works there is a certificate authority which issues a certificate for our servers that certificate is established is placed at the server end and when client makes the request to the server the server returns a copy of that certificate the client verifies that whether the certificate is from a certificate authority or not whether it is a valid certificate or not and if yes then client sends a key just like the public key privacy concept that you just saw client sends a key to the server and then a link between the server and client is established it is assumed that this link is secure and the data that is being transferred to this link is secure or it is encrypted and it will not be accessible by any third party or any attacker so this is the whole concept of ssl and we even saw it when we tried to intercept the call that was being made over https we saw that we didn't get the response instead we got an error that there is a proxy between the server and the client and because of the presence of the third party the link is not secure and hence the ssl error occurred now let's see that how does the ssl certificate looks like so when we click on this lock icon it will tell us that this particular website is using an encrypted connection and then there's an option for show certificate so when we'll click on show certificate we'll see that this is the certificate this looks similar to the certificate that we use for our code signing but let's see it in detail so if you click on this detail it will show all the details related to the certificate so the subject name or the common name it will refer to the site to which this certificate is issued and then there will be the information about the issuer so basically the certificate authority who has issued the certificate will have the name the region and the serial number and all those details of the certificate authority and then there will be a public key so this public key will be used by the client for decrypting the data that has been sent by server the same concept of asymmetric cryptography and then there's some more information so this is following the x.509 standard it is the standard used by certificate authorities to create the certificate and let's not go into the too much detail of x.509 standards rather let's try to perform the man in the middle attack so that we can understand the importance of ssl pinning so till the time we won't bypass the security tunnel we won't understand the importance of ssl pinning we understood that what is ssl certificate how does it look what all it contains server sentence to client client sends the key back to the server that is how secure communication is established but we haven't talked about the ssl pinning yet so we will talk about it after doing the mitm attack so that it will be even more clear let's see let's understand the man in the middle attack so we have a server and we have a client they are communicating over https so it is secure the client is receiving a certificate from the server and what the client is concerned about is that it should get a certificate from the server and that certificate should be a valid certificate what server is concerned about is that it should get the keys from the client after the certificate has been sent now here comes our third party that is our attackers what they will do is they will send a certificate to the client but that will not be the certificate that has been sent from the server the client will assume that this certificate came from server and hence it will trust it similarly they will send some keys to server and server will trust that these keys came from the client so it will appear that the secure communication is there but in the middle our attackers our hackers will be there so they will be listening to the entire communication and hence our valuable data will be lost a security breach will be there let's try this the first thing that we need is a certificate the certificate that will send to client and client will treat it as a server certificate so let's download charles certificate for that for downloading open the safari and go to this url ch ls dot pro ssl i'll put this link in the description and it will ask if you want to download the profile and allow it this will be for iphone and the profile will be downloaded next thing that we need to do is go to the settings and there you will see that profile is downloaded install the downloaded profile now we have a profile for the charles downloaded and installed on our device after installing the child's profile go back to the general about and at the bottom there will be certificate trust settings go there and enable the charles proxy certificate the profile that we just installed once this is done go back to the charles and remember that the profile will only be downloaded when you are connected to the charles so if you are not connected to the charles it will give you an error on the link chls dot pro ssl that please connect to the charts and then you will be able to download it once that is done come back to the charts select the proxy and select the ssl proxy settings now here we need to add the website for which we want to intercept the calls so i have already added star that is the wildcard so if we add star the the calls to all the websites will be intercepted but just to show you i'll just remove it and add it again so you can mention star in the host so this will be a wild card and then it will intercept the calls for all the websites for all the hosts and the port for ssl is 443 this is the standard port so mentioned four four three year and this is done now let's try making the call to our marquee endpoint and see that whether it works or not because it is using https so let's see that and this is the call let's see that what we have here in the summary so if i go here and in the summary right so this is the json text this is the response that is being written from the server that is testing charge 443 200 success this is what we saw on the browser too but earlier we were not able to see this because it was using https and because of that ssl certificate the data was being encrypted and we were not able to intercept it but after using the proxy certificate so basically after performing the man in the middle attack we are able to access the data so essentially what we did is that we introduced a fake certificate we passed that certificate to the client client trusted that certificate and gave us the keys we passed our keys to the server and server trusted it and server gave us the data so this is how the men in the middle attack is performed and now let's see that how can we avoid it so here comes the role of ssl pinning let's understand it we saw that how many in the middle attack was performed a fake certificate a process certificate was supplied to the client and client trusted it now to fix this there should be a way through which the client can identify that this is the fake certificate and not the certificate of the server to which i am communicating that's the whole idea of ssl pinning so if we can identify that this is the fake certificate this is the proxy one we will not pass our keys and hence the communication won't establish to do that there are two ways for it one is pinning the certificate itself in the bundle of the application or the other way is using the public keys because the actual certificate the genuine certificate is of our server we can have an access to it and what we can do is we can get that certificate and we can embed it into the bundle now when the attacker will pass us a fake certificate we will compare both the certificates and then we can say that now this is the fake one and i am not going to proceed the communication with this one when will communicate with our actual server the certificate that will be received will match with the one which we are already having in our bundle the match will be successful and then we can start the communication so this way we are pinning the certificate with our application so this is called certificate pinning and the second way is the public keys so we saw that in the certificate when we saw the structure of the certificate the x.509 standards and all that we saw that there was a public key section so if we can have those public keys within our application and then match the public keys just like we are matching the certificates then also we can come to know that whether the certificate is fake or not whether an attacker has passed certificate it is an mitm attack or it is the genuine call that we are making so let's implement this in the swift and we won't be using any third parties for it we'll use url session for it let's start the first thing that we need is a certificate the certificate that will be in our bundle and we can download it from the website against which we are testing our ssl panning so here from the market io if we click on the lock icon where we get the option for viewing the certificate we can simply drag the certificate here on the desktop and we can download it so that is what i have done and i am having this certificate in my code itself so here i am having this certificate from moki and i will be using this certificate for comparing the certificate that i'll be receiving from the server now let's look at the code and you do not worry about the code i'll put it on github and we'll mention the link in the description so you can check it out from there i'll also put the link of some good articles on ssl painting and is so let's start with the code i'll give you a quick walkthrough about the code so what we are having here is we are having an object of url session now generally we use urlsession.js directly and we do not use the delegate i mean we do not set the delegate itself but here because i want one of the delegate methods to be called this has been done intentionally and we'll see soon that what that method is and why it is used next we are calling our method which is responsible for making the web service call so there's nothing much here i'm just using the data task for making the web service call and here comes the method that i was talking about so this is from the url session delegate and the method is did receive challenge now let's see that what this method does so this method is basically responsible for the authentication this is the chance this is the point where we can validate where we can authenticate that the link through which we will be communicating is safe or not whether it has been compromised or not the certificate that we have received whether it is a valid certificate or not so that is tested here in this method and this is the first point where any kind of response from the server is validated so we'll use this method for comparing the certificates for doing our ssl pinning thing the first thing that we are doing here is we are getting the server trust you can read it as we are checking that whether we have received a certificate or not we will go for the comparison later but let's first check that whether we have received a certificate or not so that's why this guard block is here and then comes the certificate so here we are using the server trust that we got from this guard block we are using it for getting the certificate and then we are adding the policy for domain name check it is for ensuring that we have received the certificate from our trusted source or not then we are evaluating the server trust now this will be a bool value which will be used later and after that we are simply getting the remote certificate data we are converting the certificate into data and we are also accessing the certificate that is in our bundle so we are getting the path for it and then we are converting it to ns data so that we can compare both the certificates and here's the block where the comparison is actually happening so we are checking that whether is server trusted this bool this is true or not and we are then comparing the remote certificate data with our local certificate data and if both the conditions are true that the server is trusted and the certificates have matched then we will return user credential in the completion block so if you see here in the completion blog it takes an authentication challenge disposition that how you are disposing the challenge so we will be passing the user credentials here which means that the ssl pinning was successful the server is the trusted server the link is safe and we can proceed with the communication and if anything fails between will pass the cancel authentication challenge this will mean that the route is not safe we cannot proceed the communication here either the certificate is not from the trusted source it is not from our server or something in the link is broken whether the certificate is not valid or we haven't got certificate at all because even in that case we are returning the cancer authentication challenge so this way we are ensuring that the channel through which we will be communicating is safe or not this is how ssl pinning is done using the certificate where we pin the certificate in the bundle itself the second and the more preferable way is using the public keys so the concept remains same here we are comparing the certificates and in public keys we compare the public keys and that way is more preferable because in case of certificate pinning we'll need to release a bill whenever a certificate has changed whenever a certificate is updated but in case of public key we don't need to share a new build because even if the certificate changes the public keys remains same and because of that the same build can continue with an updated certificate too i'll put the link for the implementation of ssl pending using public keys in the description the difference is just that we will be comparing the keys here we are having certificate in the bundle there will be having the public keys in the bundle that's it so i'll put it in the description the next thing that i want to talk about is a way through which the ssl pinning can be bypassed so we saw that after implementing ssl pinning our application becomes way more secure and we we validate the certificates we validate the ssl certificates that are coming from our server and proceed with the communication only when they have been verified they have been authenticated but there is a way which hackers use for bypassing the ssl panning so what they do is on a rooted device if they get access to your source code they will change they will manipulate the source code to return user credential always from this method irrespective of the certificate has matched or not the verification the the validation the the check for the trust has been successful or not it will always written user credentials now it is not that easy that is straightforward to access the source code on a rooted device and to manipulate it for returning the success from the challenge disposition but in case the professional hackers get the access to it and when they do it then the entire concept of ssl pinning goes to drain because irrespective of the comparison whether it has been true or it has been false this method will always return true and the way to prevent this is obfuscation so obfuscation changes the names of your methods it changes the names the signatures of your method after your build has been successful so when the attackers try to access the source code and manipulate it by returning the success for the authentication challenge it becomes really difficult for them to identify to determine that actually which method is responsible for returning the challenge because the names of the methods have been changed by the obfuscation the signatures have been changed the names have been changed and because of that it gives an additional layer of security that is what obfuscation does so ssl pinning does not hundred percent guarantee about the security of the application but still something is better than nothing so using https over http is more secure using ssl pending over directly using https is more secure and using obfuscation over ssl pinning is even more secure so i hope that you would have got some idea about the man in the middle attack about ssl certificate ssl binning and how can you enhance the security of your applications so that's pretty much for this video a new video comes out every weekend so you can consider subscribing to the channel let's write better code together happy coding and stay safe
Info
Channel: iCode
Views: 3,341
Rating: undefined out of 5
Keywords: iOS, swift, xcode, iCode, pallav, pallav trivedi, SSL, SSL Pinning, SSL Certificate, app security, hacking, ethical hacking, man in the middle attack, mitm attack, android, mobile app development, iOS interview question, certificate, public key, asymmetric cryptography, mitm demo, proxy, Charles, Wireshark, obfuscation, private key
Id: HWJ3cCNdKKA
Channel Id: undefined
Length: 24min 50sec (1490 seconds)
Published: Fri Sep 03 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.