Man in The Middle Attack and SSLPinning | Ethical Hacking | Charles | iOS | Swift | Xcode
HTML-код
- Опубликовано: 5 июл 2024
- In this video, I’ve discussed about some of the good practices for enhancing the security of an iOS Application. I’ve demonstrated that how Charles can be used for intercepting the web service calls, how HTTPS prevents it. Further, how Man In The Middle Attack can be performed (using Proxy certificate) for bypassing HTTPS security. What is SSL Certificate, how does it work, asymmetric cryptography, why it should be pinned (SSL Pinning) with the app, Certificate Pinning and Public Key Pinning, in what scenario can SSL pinning fail and obfuscation.
Implementation of Certificate Pinning -
gist.github.com/pallavtrivedi...
Inspiration & implementation of Public Key Pinning -
/ ssl-pinning
Credits -
Hacking video (used in starting of the video) by Mikhail Nilov from Pexels
www.pexels.com/@mikhail-nilov...
Chapters 👇🏼
00:00 Start
00:09 Introduction
01:07 Intercepting web service calls made over HTTP
02:23 Configuring Charles
05:40 How HTTPS differs from HTTP
07:55 Asymmetric Cryptography
08:41 SSL Certificate and it’s working
11:19 Man In The Middle Attack (Concept)
12:20 Man In The Middle Attack (In Action)
15:43 SSL Pinning
22:24 Obfuscation
Haven't been able to find a better explanation in the whole internet! 👏
I love your videos..! They are always so detailed and they always focus on things that you simply cant find in normal iOS tutorials. Keep them coming..! 🎉🎉🙏🏻🙏🏻
Thanks Rushil 🙂
Excellent video. Thanks for making the concept clear in a very easy-to-understand way and also through a simple demo.
I agree, some times we face issue to bypass by cause of different logic of how the code is written and what function to call. Also would like to thank you and appreciate you for such a simple walk through of the concept and issue.
1. Encrypt and decrypt , request and response using AES,
2. Proxy check
3. SSL pinning
4. Rooted Device check
5. Virtual device check ( if we have implemented pallycon don't neet to check )
These are security for iOS application security
Pallav, you are very good in Programming and clear about the concepts.
Thanks for helping. 🙏🏻
Great video. Explained in a very clear way. Thanks Pallav!
I'm preparing for my iOS interviews. This concept been asked couple of times. Thank you for sharing your knowledge !!!
Yes, this is one of the important interview questions, especially when interviewer wants to ask about the security aspects. Glad that you found the video useful🙂
Thanks, you made it simple, I was trying to learn this concept from long back but due to complex explanations I was not able to grab it.👍
Glad that you found the video helpful 🙂
Thank you so much for very clear explanation, the way you explain makes the hard topic which are difficult to understand look easy. Please keep sharing with us awesome videos.
Thanks so much. This is the 3rd video that you made that I'm studying. Thanks!!!
Please continue to make informative videos like this. Videos that other people aren't making!
Best iOS tutorial video ever seen! 🎉❤
I love these iOS security videos. Do more, please!
Sure Diego. I'll try to cover more topics on the same lines. 🙂
Perfect explanation, dude. Subscribed :D Thanks
Awesome Bro.. No one has ever explained http to SSL Pinning in such a way till date !!!
Keep up the good job.. loads on Love for your video content.. :-)
Any pointers or guideline usage for SwiftShield for obfuscation ?
per you explanation we got the hang that the function names and variables are given random names so that no one can know what is being used for what.. having more complexity.
Million thanks for such a hot topic with beautiful explanation ✌️✌️
Thanks Puneet 🙂
This was really detailed and Helpful Video👍
Clear explanation.. Keep doing more videos💫💥
Nice to see that you are covering the topics which are not covered by most of the tutors over the internet.
Thank You Sir. Lots of love. 🙏
Thanks Polu 🙂
Thank you sir ur videos helping me a lot to grow my knowledge because I am a fresher so I am in a begging stage thanks again
Awesome and knowledge filled as always... Thank you. 💐
I’m glad that you liked the video. Thanks for your constant support 😊
@@iCode_Happy_Coding Most Welcome you and your team always...as good content today are less seen .
loved the explanation , good job
Thank you so much for clearing my one doubt. Thanks a ton.
Glad that you found the video helpful 🙂
Kya vaibhava ji bhot padhai kar rahe ho :D
Best explanation i have seen so far.
Can you please also make video on how ofuscation is done??
Wonderful 🥇 video for complex topic
Thanks Pallav. You video is very informative
Thanks Akshay 🙂
Excellent tutorials . Good explanation
Love this Video. Thank You.
I may be mistaken, but I believe your short clip that attempts to describe asymmetric encryption is actually defining end-to-end encryption, which does use asymmetric encryption…. Although asymmetric encryption refers to a private key & public “key pair” (which differs from symmetry encryption), there are multiple ways asymmetric encryption can be implemented (ie. Diffie-Hellman Key exchange). In your short video clip you conveyed that asymmetric encryption is E2EE, which is incorrect. E2EE is 1 great implementation of asymmetric encryption, but asymmetric encryption is not E2EE.
Overall, thanks for your videos, honestly. You do a fine job.
Thanks for the explanation!!
Thanks for sharing video. It is awesome. Could you pls explain certificate transparency and which technology to use to avoid security concerns. How bank apps are managing
Superb explanation 👍
Your posts are always helpful!! Thanks for your efforts.
I have a question, is it possible to extract entities like public key and the api keys from the ipa ?? If so, what are the ways to save them in the app safely?
amazing explanation sir.. my question is after this handoff, what next ?? how to handle all the apis... suppose i need the PERSON data then what i need to do???
i am waiting for this type of videos thank you
Thanks Swapnil 🙂
Interesting , thank you for sharing.
Superb man
Please keep posting
Thanks Pawan 🙂
MaZA aa gya , dhaga khul gya MITM ka
I like a lot your tutorial 👍.Perfect
Thanks Rehan 🙂
Great video💯
Thank you for the video! Am I the only one who heard the word "Jazz" when the speaker were saying "Charles" 😅
Very good explanation. We have one query. Please clear this.
How we are sending a encrypted key to server after successful verification of server certificate with our bundle certificate?
Good one 👍
Excelente Video
great explained.
Do we need to write the didReceiveChallenge method for every new or another web service call?
What prevents the MITM downloading the same certificate as the real webserver. Would this bypass SSL pinning check?
Hi iCode
I have implemented SSL pinning through public key pinning in one of my app. But I'm getting different keys from the server while running the app in the device. Sometimes the public key from the server is matching and sometimes it's not. Can you please tell me what's going wrong here?
Thanks in advance.
I need to implement this for one of my projects, that project communicates to multiple domains, will it be possible to do pinning for various domains or can we do it for one and can trust communication for others? I would greatly appreciate how we can achieve this any idea or thought.
Nice video thank you
In case of ssl pinning hacked. We can also use Safety net implementation or Appattest service. Like, we use captcha in our web app. And we also can implement jail break for rooted device. Thing will be secure. After jail break implementation no one will be able to open app with rooted device.
Nice explanation
Great tutorial..
Thank you! 🙂
please make video on PKCS12 for security. also make one overview video on what are the ways to implement various levels of security.
Can this be done for third party APIs such as Google APIs?
Great!!!!
Thank you very much Sir. Could you please make Videos on what is DRM, fairplay and widevine etc
Thanks for the suggestion Anwesh. It's one of my favourite topics and will definitely look for covering it. 🙂
You are great 😮😮
Great video dude, thanks a lot! How about the certificate we keep in our bundle, shall we store it in Keychain for safety? or just add it into our project? Because, attackers might do a reverse engineering and even get access to the certificate we are storing in bundle.
Definitely. We must put the certificate in Keychain. Thanks for highlighting this 🙂
SecTrustGetCertificateAtIndex is deprecated in ios 15. any solution?..
We can add another layer also with SSL pinning , means we can check device is rooted or not if device is rooted we can terminate app.
Hi, I am trying to implement, Root check/Jailbreak detection I our App, but not able to find any reliable method, can you please share any document or link if you have any. Thanks.
How can we implement dynamic SSL pinning in swift?
can we patch smali to bypass certificate pinning ?
Great video...Thanks for the information...may I please know how to achieve obfuscation?
Thank you Ramesh 🙂.
Obfuscation takes a separate set of efforts, and expertise which I’m not aware of. But most of the companies take third party assistance for obfuscation. For example, Guard Square - it provides obfuscation services
PS - not a paid promotion 😅
Why policy array not used?
thanks for sharing such informative video with us. may i know is there any paid tool which can intercept API despite having certificate pinning ???
please let me know if anything.
👍👍
What if man in middle have the public key of our server certificate?
Since it wont chanve with tym, its more prone to issues like leaking of public keys...please clarify?
Public Key as the name suggests is public to all. You can extract the public key of any domain. The point is that if that man in the middle tries to intrude, the public key of that intruded host will change and will not match with the public key of your actual domain. The issue is not that the public key is exposed. It's already exposed. To hide the function where you are actually using that key, use obfuscation.
For Public Key pinning, as we are keeping Public Key hard coded in iOS code, that public key need to be same even after SSL certificate renewal. Is that my understanding correct?
Correct. When you renew your certificate, the public key remains the same. However, if you change the certificate, public key will also change. TrustKit allows you to keep two public keys so if one fails, it can fall back to the other.
What is the good practice to keep/have public hard coded pinning key in Xcode?
:-)Thank you
But if we use DNS poisoning we can easily bypass SSL pining, isn't it?
App in the production if It’s possible to expire the certificate how we could to update it? We need to get the updated certificate through the api?
No, you need to update the app with the new certificate and allow users to forcefully update the app. Thanks
You can build whatever logic you want. You can update the already saved certificate and download it from your custom-made API, save it in the document directory, overwrite the existing one, and then pass the DD path of your local certificate to match the host certificate. Doesn't necessarily always need to update the app. This type of logic only works when you keep your cer in DD path and not in the App bundle.
For App bundle, you need to update the app.
❤🎉🎉
Hi Pallav,
Hope you are doing well !
I would request you to please make a video in Hindi language also.
I try to use a language that is understandable by everyone. I’ll try to add subtitles in Hindi 🙂
I Have followed step, which is given in the medium blog for public key pinning, not working for me. Always getting wrong hash, compared to hash generated from terminal
I’ll try to cover it in detail.
@@iCode_Happy_Coding 😀👍
I guess that this method is not working on https protocols right?
It works for HTTPS as well (as I demonstrated in the video). It will not work if SSL pinning would have been done.
How to perform obfuscation ???
Great tutorial btw 💗
Glad that you liked the video. Generally it is done by using third parties like Guard Square.
What they are doing internally is very detailed topic that even I'm not 100% aware of. I'll try to learn and cover it in one of my upcoming videos. Thanks for the suggestion 🙂
@@iCode_Happy_Coding Thank you for the reply. And it will be awesome if it is coming in future. And the videos are really of very high quality content. Keep up the good work.
it doesnt make app secure it just hide app developer and backend problem. allow user to intercept traffic so they can see who is making network calls.