Hi,
which APIs will honor NSPinnedDomains
?
I read the article Identity Pinning: How to configure server certificates for your app and I was able to successfully verify SSL Pinning for URLSession
but not for WKWebView
.
Is this expected? What aboutASwebAuthenticationSession
or SFSafariViewController
?
I used Xcode 12.5, iOS Simulator 14.5, and Charles to pin leaf certificate for domain jsonplaceholder.typicode.com and to emulate man-in-the-middle (MIM) attack
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSPinnedDomains</key>
<dict>
<key>jsonplaceholder.typicode.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSPinnedLeafIdentities</key>
<array>
<dict>
<key>SPKI-SHA256-BASE64</key>
<string>frajXjTbS+rTizBNs0tFkpyy0eEv/Ar4+7HtsFRL5ow=</string>
</dict>
</array>
</dict>
</dict>
</dict>
Once I enabled SSL Proxying in Charles (emulating MIM attack) then the following code will return with an error as expected
URLSession.shared.dataTask(with: URL(string: "https://jsonplaceholder.typicode.com/users")!)
But information are getting loaded in web view.
let webView = WKWebView()
webView.load(URLRequest(url: URL(string: "https://jsonplaceholder.typicode.com/users")!))
Thanks and kind regards, Marco