How to Bypass iOS SSL Pinning?
Mobile app security has always been one of the most crucial parts of the entire design and development process. The stage alone holds the capability to make or break the future and success of an app empire.
Scarily, the instances and types of security breaches are growing alongside the number of apps active in the stores. One breach that has become frequently occuring in the mobile domain is the SSL Pinning bypass.
What is even worse is that it is active in one of the most secure ecosystems of the mobile domain — iOS as well.
The intent of this article is to look into the different ways of how SSL certificate pinning in iOS can be bypassed. This would help your QA team know the routes they have to focus on when ensuring your iOS application security.
Before we move on with giving you the SSL pinning technique bypass ways to bypass SSL Pinning in iOS, let me bring everyone on the same platform by describing what it is.
What is SSL Pinning?
When a mobile app communicates with a server, it uses SSL for protecting the transmitted data against tampering and eavesdropping. On a default mode, the SSL implementations used in the apps trust any server having certificates trusted by an operating system’s trust store.
With SSL pinning, the app is devised to reject every but one or limited predefined certificates. When the app connects with a server, it compares the certificate with the pinned certificate. Only when there is a match, the server is trusted and SSL connection gets established.
Now that we have covered the what is grounds, let us look into the different ways the iOS SSL Pinning can be bypassed, which can also act as an answer to how to make your iOS apps more secure with SSL pinning.
Here are the techniques you can use as SSL pinning test methods.
Installing Your CA
Installing your CA is the primal step for getting rid of the SSL errors.
Installing your own CA is fairly easy inside iOS. The first step would be to get CA on the device, which can be done through an email attachment or by downloading certificate.
To start, you will have to configure the device and the web proxy to intercept the web traffic. For the Burp site, you can browse http://burp and click on “CA Certificate”.
Next, an “Install” message will be prompted for running the certificate on your device as shown below.
When you click on the “Install” prompt, you will get a warning that the certificate will be added onto the trusted certificates list.
You can then verify if the certificate was installed by heading to Settings > General > Profile.
In the case of iOS 10.3 and above, you will have to manually authorize trust in the installed certificate by heading out to Settings > General > About > Certificate Trust Settings and then enabling trust for the certificate.
Hope it helps.
Installing Software to iOS Device
If you still get the SSL errors or if the app dies after waiting for a connection, the probability is the server is using a TLS chain validation or SSL certificate pinning. The easiest way for bypassing SSL certificate pinning would be to install hardwares, which are easy to setup and run.
Their individual installation instructions have been listed on their websites.
Using disassemblers for modifying the IPA file
If everything fails, you will have to try something difficult — use disassemblers to modify the IPA file for bypassing a certificate validation.
Hopper and IDA are the two famous disassemblers that you can use for this task.
Once binary is loaded in the application, you can follow the logic behind the functions which are called when the mobile app makes an SSL connection with the server. It will point you in the direction of where the iOS certificate pinning is happening. Altering the IPA will break the signed application and it won’t be installed on any iOS device. Resigning the IPA file would allow installation of the mobile app.
iOS Penetration Testing is one of the must-have security practices you will have to work on and knowing the techniques used to bypass SSL pinning in iOS can be a great proactive start.
