SSL Pinning : Info.plist based SSL Certificate Pinning way of implementation in iOS is not working

App & System Services Networking
KomalNutanDas OP
Created 4w
Replies 1
Boosts 0
Views 211
Participants 2

I have implemented SSL pinning by following this article https://developer.apple.com/news/?id=g9ejcf8y , however pen testing team was able to bypass SSL pinning using Objection & Frida tools.

I am using URLSession for API calls. I used Xcode 16. My app's minimum iOS deployment version is 16 onwards.

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSPinnedDomains</key>
    <dict>
        <key>*.mydomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSPinnedCAIdentities</key>
            <array>
                <dict>
                    <key>SPKI-SHA256-BASE64</key>
                    <string>my SHA256 key</string>
                </dict>
            </array>
        </dict>
    </dict>
</dict>

Could anyone suggest how to mitigate this bypass mechanism?

Replies  1
Boosts  0
Views  211
Participants  2
DTS Engineer OP
Apple
3w

It’s hard to offer an opinion on this without knowing more about what those tools do. Please elaborate.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
SSL Pinning : Info.plist based SSL Certificate Pinning way of implementation in iOS is not working
First post date Last post date
 
 
Q