The main issue would be that the Tester was able to use Frida to hook on to SSL_CTX_set_custom_verify(). Is there a way to do pinning without it going through SSL_CTX_set_custom_verify?
Does NSPinnedDomains goes through SSL_CTX_set_custom_verify eventually? As the Frida mainly hook on the SSL_CTX_set_custom_verify and returns SSL_verify_none, which just skips through the pinning checks, making any attempts to pin the SSL Certificate redundant.
As for the implementation, we use Trustkit (https://github.com/datatheorem/TrustKit), as linked in the original post. As the README.md file indicates we just implemented it this way:
NSDictionary *trustKitConfig = @{
kTSKSwizzleNetworkDelegates: @NO,
kTSKPinnedDomains : @{
@"domain1.com" : @{
kTSKExpirationDate: @"2017-12-01",
kTSKPublicKeyHashes : @[
@"HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY=",
@"0SDf3cRToyZJaMsoS17oF72VMavLxj/N7WBNasNuiR8="
],
kTSKEnforcePinning : @NO,
},
@"domain2.com" : @{
kTSKPublicKeyHashes : @[
@"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
@"rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE=",
],
kTSKIncludeSubdomains : @YES
}
}};
[TrustKit initSharedInstanceWithConfiguration:trustKitConfig];
In summary, our concern is more of that Frida is able to intercept SSL_CTX_set_custom_verify(). As such, we are unable to pass our Penetration Test for the mobile app.
It is a requirement to Pin the SSL Certificate of the respective domains, but also be able to not be intercepted by hackers and scripts to bypass this SSL pinning checks.
We are looking for solutions to pin our SSL certificate that does not go through SSL_CTX_set_custom_verify(), so that Frida would not be able to hook onto that method to hijack our SSL pinning checks.
Ferdinand-Activate
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
From
Singapore
Post
Replies
Boosts
Views
Activity
SSL Pinning is a requirement by our client's security department. The purpose is to ensure we are communicating with the intended server with the right SSL Certificate. This prevents any man-in-the-middle attacks.
We need to map each domains to a fixed set of SSL Certificates, and prevent any unknown server's SSL Certificate. The app would not proceed to communicate with a server if the domain doesnt match the SSL Certificate specified by the app.
This is to increase security, locking a domain to only a specified SSL Certificate, not allowing any other SSL Certificate, regardless if it is a valid/verified certificate.