Is there a best way to do certificate pinning in iOS to avoid Man in middle attack. Or is there any substitute approach that apple provides to make a secure connection?
Currently I'm using A certificate pining approach where either I've to store the .der file in my app to compare with Server Certificate or as option2 to do SHA1 or MD5 validation. But in this case app need regular updates with change in those certificates.
Is there any other concrete approach that apple provides for SSL /TLS validation.
Any demo code sample will be helpful
Thanks in advance
OWASP provides good information about this topic, including sample code for various OS, including iOS.
AFNetworking provides AFSecurityPolicy class to deal with certificate and public key pinning.
Related
i have some doubt based on APN as server side.i had used third part tool as server side as parse but i dint know how to do as own server,could any one clarify?
Thanks advance
An excellent tutorial for the same -> https://www.raywenderlich.com/123862/push-notifications-tutorial
Uses PHP & Swift.
How does the backend work --> (Already explained in the tutorial)
You have to create the PushNotification certificate from developer portal, when you create that you also have a private key attached.
They together form the PEM, which marks authorisation.
Post that, you simply call the apple push servers to send a notification.
This is different for development and distribution though.
I need to generate PDF in my app (which has been done), and then, mark it with a digital signature for security purposes(which still needs to be taken care of).
Here, I am not talking about simply pasting an image (containing signature) in the pdf file; but actually use public-key/private-key for this purpose.
I have Googled a lot, but all I could find was how to add a signature image in the pdf. Does Apple provide any libraries for digital signature?
Note that you also need to understand and discuss (with the right business person) the security of the digital certificate(s) used for signing.
If you want to ensure that no one/nothing except for authorized people and processes will be able to sign with the certificate, then the certificate must be stored in a secure hardware device.
The two common secure signing system types are smart cards and signing servers. Smart cards can be difficult to interface to. Signing servers are easy to use via network APIs. Example signing server APIs. Signing servers are available as web services if you want.
I have an iOS application that uses certificates for messaging-signing following the Digital Signature Algorithm (DSA). In order to perform this signing, the app needs the certificate as well as the private key associated with the certificate. And, I cannot embed the certificate in the app as my customers need to be able to generate and distribute their own certificates to be used by the app whenever they need. (And, embedding a certificate would constitute a security risk anyway.)
Does anyone have any thoughts on how I might go about distributing the certificates and private keys?
PS. We do the same thing on BlackBerry and, there, we use BlackBerry Enterprise Server and APIs on the BlackBerry device to push certificates to the devices in the organization. I'm hoping there's a MDM solution to this for iOS but haven't been able to find anything yet.
Thanks much
You ask:
Does anyone have any thoughts on how I might go about distributing the certificates and private keys?
I'm sorry I don't know enough about your specific situation to tell you exactly how to meet your requirement, but I can tell that's not how it's usually done. Instead the public/private key pair is normally generated on the device, then the public key (only) is submitted with additional data (in a Certificate Signing Request, CSR, for example), to a server (Certification Authority, CA), which generates the certificate and returns it to the requester (and possibly publishes it in a directory).
An important security benefit to this approach is no third party has access to the private key (the CA needs the public key and doesn't need the private key). This is required for non-repudiation (so the device owner can't claim someone got his private key from the central server).
On iOS, there is no straight forward way to distribute a certificate and it's private key to an app. Apple suggests using PKCS12 and provides some guidance in this document: Technical Q&A QA1745: Making Certificates and Keys Available To Your App.
I want to encapsulate UIWebView which can handle both http and https request on ios platform, especially for https, it should handle both trust and unverified (developer defined) certificates. Any open source available to take reference?
Thanks in advance.
Graham Lee discusses some of the things you can do at On SSL Pinning for Cocoa [Touch]. Its about as close as you are going to get to open source - its sample code that shows you how to do it with NSURLConnection and NSURLConnectionDelegate.
Lee's article discusses how to pin a public key, which improves security on the channel. Public Key Pinning is equivalent to StrictHostKeyChecking in SSH. In addition, I believe you can use NSURLConnection and NSURLConnectionDelegate to trust your [otherwise] untrusted certificates (I don't observe the practice, so I'm not sure of the details).
Be careful of lessening (ruining?) the security built into the channel. A survey and analysis of dumb developer decisions was recently published at Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. Its not limited to Android.
Create network connection to handle SSH challenge, untrusted certification.
This bit of code may be of help https://github.com/dirkx/Security-Pinning-by-CA - it does exactly that.
NOTE: This question is NOT related to the keys and certificates used for iOS development/provisioning.
I would like to use TLS client certificates for authentication of iOS devices running my app. In order to achieve this securely, it would be ideal if the device generated its private key itself and requested a certificate from our in-house CA.
I can't find an API in the docs for doing this, but I can see that iOS supports TLS client certificate authentication, so it seems logical that it would be possible. Can anyone point me in the right direction?
Actually there is objective-c wrapper of Open SSL available. Which can be some help to you. https://github.com/aidansteele/SSCrypto.
You can also use mycrypto( https://bitbucket.org/snej/mycrypto/wiki/Home ) a high level objective-c wrapper for many cryptographic tasks.