How to protect the app against code injection which bypasses SSL pinning? - ios

While applying an iOS app developed by me to FUT. They were able to intercept, view and modify all traffic between the app and the server even though the traffic was sent over SSL.
A selfsigned certificate was installed on the phone prior to testing. The app traffic was then redirected to a proxy server which presents the self-signed certificate.
In order to bypass the SSL Pinning, the team has hooked on the runtime of the application (process) and have injected code on runtime, which has disabled the function which checks for the SSL Pinning to be made with the corresponding server.
In case this help. I am using Alamofire 4.7.2, Moya 11.0.2
I have no idea about how to do the ssl pinning, please help.

Related

Overriding Self-Signed SSL Certificate Warnings with Electron

There are two prior questions leading to this question (if you're interested):
ssl-for-intranet-applications-deployed-at-multiple-companies
distributing-ssl-certificates-to-all-browsers-in-an-active-directory-environment
In Electron, do you have the ability to override SSL certificate warnings that you'd typically get when using self-signed certificates via a modern web browser?
Typically, in desktop applications, you do not have to adhere to the strict online-banking-level certificate standards that web browsers warn about. The data I'm transferring isn't that sensitive.
As a matter of fact, one of the only reasons I'm moved my app from http to https, is because certain web standard APIs won't function unless the protocol is https. The Notification API is one example.
Otherwise, the data I'm transferring over intranet just isn't that sensitive. Yet, the browsers attempts to burden me (and my users) with Online-Banking-Level certificate authentication.
I'm trying to avoid this somehow and thought that maybe Electron could give me more client-side control for pre-approving my self-signed certificate. Is this doable in Electron?
I have some trouble with https and untrusted proxy certificates and this in my index.js
// We have to deal with self-signed and therefore untrusted root certificates.
global.process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';
It's an intranet application that never reaches out to the internet, so it's ok for me here.

Figuring out to set up HTTPS

I'm a relatively new programmer to backend security so very much in the dark about how to set up HTTPS. I'm currently writing an IOS app that is sending http requests to my public EC2 backend domain, however I'm trying to transition this to HTTPS. Right now the backend is running on the developmental Flask server using HTTPS with a self signed certificate. However the problem is that on the IOS app side, it rejects this as invalid so I'm unable to test HTTPS dependant features. I tried to use the domain exception with the infoplist and ip.xip.io but it still complains that someone could be pretending to be this address. Could someone list in a very systematic way how I should approach building this out,i.e are there any free CA's, do I need a cert from a CA, and how to go about properly connecting the app and backend with HTTPS using my ec2 public ip.
Perhaps the iOS app will authenticate properly using a free community certificate. Investigate free certificate authorities, like letsencrypt. There are several. These work like the commercial CAs such as GoDaddy.
Actually the easiest solution was to just use Ngrok

Install TLS 1.2 Certificate on iOS App

How do I install a certified TLS certificate on an iOS app?
I assume there also needs to be the ability to send a new certificate over the network to the app in the future, if need be, and how exactly would that work?
I assume once it's installed that Apple will handle the entire handshake process of the device side?
Had some trouble finding explicit answers to these questions online.
Assuming that what you are describing is a signed SSL certificate for your domain name, the only thing you will need to do is install it on your web server. When your application makes a request to your web server, the server will send the certificate to the client during the initial HTTPS handshake, and the client will verify it automatically.

SSL communication from iOS app to server

I'm fairly new to SSL and secure connections in general. What are the major steps required for an iOS app to talk to a server over a secure communications channel?
I'm aware that an SSL certificate will probably be necessary. I'm planning to purchase one from a trusted certificate authority. However I'm not sure if both the app and the server need certificates or if it's just the server. Also I'm not sure how to handle SSL errors. Perhaps there's a library that can help with this like ASIHTTPRequest or similar.
If you are using HTTPS as your protocol for communication and have valid certificates on your server all that should be required is changing your http:// to https:// on your client. For HTTP libraries a very popular option now is AFNetworking. It is a bit better maintained than ASI and has some nice block features not supported by ASI.
As far as SSL errors, it is usually a good idea to present the warnings to end users (through alert views or some other means). They could point to real security attacks (but more likely will point to miss configured or expired certificates).

ios generate application specific key

I'm working on an ios application without authentication. Now I would like to protect my server API from calls other then my ios application. A possible solution would be to have the application generate a unique key (based on the appname and the signing), which is not stored on the device since this is the main problem. I could think off an application logic that does some protection combined with some file encryption but the problem is that somewhere something is stored (ex public key can be stored in keychain but still not safe for my API-hackers).
Anyone any tips/advice on how I can handle this ?
thanks in advance
In short, there is no 100% secure way to make sure that the request comes from your application, if the key is available to the iPhone, it's available to extract from the iPhone.
You can make it reasonably safe by calculating a key runtime from info in the application as you say and communicate it over SSL, but a determined attacker can always reverse engineer the key generation too.
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use freely available tools for this, like keytool, and I think (but don't know for sure) that Apple includes a tool for this with the iOS SDK. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource. Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.

Resources