I agree, some times we face issue to bypass by cause of different logic of how the code is written and what function to call. Also would like to thank you and appreciate you for such a simple walk through of the concept and issue.
1. Encrypt and decrypt , request and response using AES, 2. Proxy check 3. SSL pinning 4. Rooted Device check 5. Virtual device check ( if we have implemented pallycon don't neet to check ) These are security for iOS application security
Yes, this is one of the important interview questions, especially when interviewer wants to ask about the security aspects. Glad that you found the video useful🙂
I love your videos..! They are always so detailed and they always focus on things that you simply cant find in normal iOS tutorials. Keep them coming..! 🎉🎉🙏🏻🙏🏻
Thank you so much for very clear explanation, the way you explain makes the hard topic which are difficult to understand look easy. Please keep sharing with us awesome videos.
Awesome Bro.. No one has ever explained http to SSL Pinning in such a way till date !!! Keep up the good job.. loads on Love for your video content.. :-) Any pointers or guideline usage for SwiftShield for obfuscation ? per you explanation we got the hang that the function names and variables are given random names so that no one can know what is being used for what.. having more complexity.
Very good explanation. We have one query. Please clear this. How we are sending a encrypted key to server after successful verification of server certificate with our bundle certificate?
Thanks for sharing video. It is awesome. Could you pls explain certificate transparency and which technology to use to avoid security concerns. How bank apps are managing
I may be mistaken, but I believe your short clip that attempts to describe asymmetric encryption is actually defining end-to-end encryption, which does use asymmetric encryption…. Although asymmetric encryption refers to a private key & public “key pair” (which differs from symmetry encryption), there are multiple ways asymmetric encryption can be implemented (ie. Diffie-Hellman Key exchange). In your short video clip you conveyed that asymmetric encryption is E2EE, which is incorrect. E2EE is 1 great implementation of asymmetric encryption, but asymmetric encryption is not E2EE. Overall, thanks for your videos, honestly. You do a fine job.
amazing explanation sir.. my question is after this handoff, what next ?? how to handle all the apis... suppose i need the PERSON data then what i need to do???
Hi, I am trying to implement, Root check/Jailbreak detection I our App, but not able to find any reliable method, can you please share any document or link if you have any. Thanks.
In case of ssl pinning hacked. We can also use Safety net implementation or Appattest service. Like, we use captcha in our web app. And we also can implement jail break for rooted device. Thing will be secure. After jail break implementation no one will be able to open app with rooted device.
Your posts are always helpful!! Thanks for your efforts. I have a question, is it possible to extract entities like public key and the api keys from the ipa ?? If so, what are the ways to save them in the app safely?
Hi iCode I have implemented SSL pinning through public key pinning in one of my app. But I'm getting different keys from the server while running the app in the device. Sometimes the public key from the server is matching and sometimes it's not. Can you please tell me what's going wrong here? Thanks in advance.
I need to implement this for one of my projects, that project communicates to multiple domains, will it be possible to do pinning for various domains or can we do it for one and can trust communication for others? I would greatly appreciate how we can achieve this any idea or thought.
Great video dude, thanks a lot! How about the certificate we keep in our bundle, shall we store it in Keychain for safety? or just add it into our project? Because, attackers might do a reverse engineering and even get access to the certificate we are storing in bundle.
Thank you Ramesh 🙂. Obfuscation takes a separate set of efforts, and expertise which I’m not aware of. But most of the companies take third party assistance for obfuscation. For example, Guard Square - it provides obfuscation services PS - not a paid promotion 😅
thanks for sharing such informative video with us. may i know is there any paid tool which can intercept API despite having certificate pinning ??? please let me know if anything.
For Public Key pinning, as we are keeping Public Key hard coded in iOS code, that public key need to be same even after SSL certificate renewal. Is that my understanding correct?
Correct. When you renew your certificate, the public key remains the same. However, if you change the certificate, public key will also change. TrustKit allows you to keep two public keys so if one fails, it can fall back to the other.
What if man in middle have the public key of our server certificate? Since it wont chanve with tym, its more prone to issues like leaking of public keys...please clarify?
Public Key as the name suggests is public to all. You can extract the public key of any domain. The point is that if that man in the middle tries to intrude, the public key of that intruded host will change and will not match with the public key of your actual domain. The issue is not that the public key is exposed. It's already exposed. To hide the function where you are actually using that key, use obfuscation.
I Have followed step, which is given in the medium blog for public key pinning, not working for me. Always getting wrong hash, compared to hash generated from terminal
You can build whatever logic you want. You can update the already saved certificate and download it from your custom-made API, save it in the document directory, overwrite the existing one, and then pass the DD path of your local certificate to match the host certificate. Doesn't necessarily always need to update the app. This type of logic only works when you keep your cer in DD path and not in the App bundle. For App bundle, you need to update the app.
Glad that you liked the video. Generally it is done by using third parties like Guard Square. What they are doing internally is very detailed topic that even I'm not 100% aware of. I'll try to learn and cover it in one of my upcoming videos. Thanks for the suggestion 🙂
@@iCode_Happy_Coding Thank you for the reply. And it will be awesome if it is coming in future. And the videos are really of very high quality content. Keep up the good work.
I agree, some times we face issue to bypass by cause of different logic of how the code is written and what function to call. Also would like to thank you and appreciate you for such a simple walk through of the concept and issue.
Haven't been able to find a better explanation in the whole internet! 👏
So clear explanation of the ssl and ssl pinning with great examples, ty so much!)
Best video explaining this topic in the best manner!
1. Encrypt and decrypt , request and response using AES,
2. Proxy check
3. SSL pinning
4. Rooted Device check
5. Virtual device check ( if we have implemented pallycon don't neet to check )
These are security for iOS application security
I'm preparing for my iOS interviews. This concept been asked couple of times. Thank you for sharing your knowledge !!!
Yes, this is one of the important interview questions, especially when interviewer wants to ask about the security aspects. Glad that you found the video useful🙂
Thanks, you made it simple, I was trying to learn this concept from long back but due to complex explanations I was not able to grab it.👍
Glad that you found the video helpful 🙂
I love your videos..! They are always so detailed and they always focus on things that you simply cant find in normal iOS tutorials. Keep them coming..! 🎉🎉🙏🏻🙏🏻
Thanks Rushil 🙂
Pallav, you are very good in Programming and clear about the concepts.
Thanks for helping. 🙏🏻
Excellent video. Thanks for making the concept clear in a very easy-to-understand way and also through a simple demo.
Please continue to make informative videos like this. Videos that other people aren't making!
Best iOS tutorial video ever seen! 🎉❤
Great video. Explained in a very clear way. Thanks Pallav!
Thanks so much. This is the 3rd video that you made that I'm studying. Thanks!!!
MaZA aa gya , dhaga khul gya MITM ka
Nice to see that you are covering the topics which are not covered by most of the tutors over the internet.
Thank You Sir. Lots of love. 🙏
Thanks Polu 🙂
Thank you so much for very clear explanation, the way you explain makes the hard topic which are difficult to understand look easy. Please keep sharing with us awesome videos.
I love these iOS security videos. Do more, please!
Sure Diego. I'll try to cover more topics on the same lines. 🙂
Million thanks for such a hot topic with beautiful explanation ✌️✌️
Thanks Puneet 🙂
Awesome Bro.. No one has ever explained http to SSL Pinning in such a way till date !!!
Keep up the good job.. loads on Love for your video content.. :-)
Any pointers or guideline usage for SwiftShield for obfuscation ?
per you explanation we got the hang that the function names and variables are given random names so that no one can know what is being used for what.. having more complexity.
Clear explanation.. Keep doing more videos💫💥
Thank you sir ur videos helping me a lot to grow my knowledge because I am a fresher so I am in a begging stage thanks again
Thank you for the video! Am I the only one who heard the word "Jazz" when the speaker were saying "Charles" 😅
This was really detailed and Helpful Video👍
Thank you for sharing knowledge it was very insightful 👍
Perfect explanation, dude. Subscribed :D Thanks
Very good explanation. We have one query. Please clear this.
How we are sending a encrypted key to server after successful verification of server certificate with our bundle certificate?
Thank you so much for clearing my one doubt. Thanks a ton.
Glad that you found the video helpful 🙂
Kya vaibhava ji bhot padhai kar rahe ho :D
Thanks for sharing video. It is awesome. Could you pls explain certificate transparency and which technology to use to avoid security concerns. How bank apps are managing
I may be mistaken, but I believe your short clip that attempts to describe asymmetric encryption is actually defining end-to-end encryption, which does use asymmetric encryption…. Although asymmetric encryption refers to a private key & public “key pair” (which differs from symmetry encryption), there are multiple ways asymmetric encryption can be implemented (ie. Diffie-Hellman Key exchange). In your short video clip you conveyed that asymmetric encryption is E2EE, which is incorrect. E2EE is 1 great implementation of asymmetric encryption, but asymmetric encryption is not E2EE.
Overall, thanks for your videos, honestly. You do a fine job.
Best explanation i have seen so far.
Can you please also make video on how ofuscation is done??
Wonderful 🥇 video for complex topic
loved the explanation , good job
amazing explanation sir.. my question is after this handoff, what next ?? how to handle all the apis... suppose i need the PERSON data then what i need to do???
We can add another layer also with SSL pinning , means we can check device is rooted or not if device is rooted we can terminate app.
Hi, I am trying to implement, Root check/Jailbreak detection I our App, but not able to find any reliable method, can you please share any document or link if you have any. Thanks.
Excellent tutorials . Good explanation
In case of ssl pinning hacked. We can also use Safety net implementation or Appattest service. Like, we use captcha in our web app. And we also can implement jail break for rooted device. Thing will be secure. After jail break implementation no one will be able to open app with rooted device.
Superb explanation 👍
Thank you very much Sir. Could you please make Videos on what is DRM, fairplay and widevine etc
Thanks for the suggestion Anwesh. It's one of my favourite topics and will definitely look for covering it. 🙂
Thanks Pallav. You video is very informative
Thanks Akshay 🙂
Thanks for the explanation!!
please make video on PKCS12 for security. also make one overview video on what are the ways to implement various levels of security.
Awesome and knowledge filled as always... Thank you. 💐
I’m glad that you liked the video. Thanks for your constant support 😊
@@iCode_Happy_Coding Most Welcome you and your team always...as good content today are less seen .
Love this Video. Thank You.
Your posts are always helpful!! Thanks for your efforts.
I have a question, is it possible to extract entities like public key and the api keys from the ipa ?? If so, what are the ways to save them in the app safely?
Hi iCode
I have implemented SSL pinning through public key pinning in one of my app. But I'm getting different keys from the server while running the app in the device. Sometimes the public key from the server is matching and sometimes it's not. Can you please tell me what's going wrong here?
Thanks in advance.
Superb man
Please keep posting
Thanks Pawan 🙂
Can this be done for third party APIs such as Google APIs?
Great video💯
Nice explanation
Excelente Video
But if we use DNS poisoning we can easily bypass SSL pining, isn't it?
I need to implement this for one of my projects, that project communicates to multiple domains, will it be possible to do pinning for various domains or can we do it for one and can trust communication for others? I would greatly appreciate how we can achieve this any idea or thought.
i am waiting for this type of videos thank you
Thanks Swapnil 🙂
What prevents the MITM downloading the same certificate as the real webserver. Would this bypass SSL pinning check?
Great video dude, thanks a lot! How about the certificate we keep in our bundle, shall we store it in Keychain for safety? or just add it into our project? Because, attackers might do a reverse engineering and even get access to the certificate we are storing in bundle.
Definitely. We must put the certificate in Keychain. Thanks for highlighting this 🙂
great explained.
Good one 👍
Do we need to write the didReceiveChallenge method for every new or another web service call?
Great video...Thanks for the information...may I please know how to achieve obfuscation?
Thank you Ramesh 🙂.
Obfuscation takes a separate set of efforts, and expertise which I’m not aware of. But most of the companies take third party assistance for obfuscation. For example, Guard Square - it provides obfuscation services
PS - not a paid promotion 😅
How can we implement dynamic SSL pinning in swift?
thanks for sharing such informative video with us. may i know is there any paid tool which can intercept API despite having certificate pinning ???
please let me know if anything.
SecTrustGetCertificateAtIndex is deprecated in ios 15. any solution?..
I like a lot your tutorial 👍.Perfect
Thanks Rehan 🙂
Why policy array not used?
Interesting , thank you for sharing.
Nice video thank you
For Public Key pinning, as we are keeping Public Key hard coded in iOS code, that public key need to be same even after SSL certificate renewal. Is that my understanding correct?
Correct. When you renew your certificate, the public key remains the same. However, if you change the certificate, public key will also change. TrustKit allows you to keep two public keys so if one fails, it can fall back to the other.
What is the good practice to keep/have public hard coded pinning key in Xcode?
can we patch smali to bypass certificate pinning ?
Great!!!!
What if man in middle have the public key of our server certificate?
Since it wont chanve with tym, its more prone to issues like leaking of public keys...please clarify?
Public Key as the name suggests is public to all. You can extract the public key of any domain. The point is that if that man in the middle tries to intrude, the public key of that intruded host will change and will not match with the public key of your actual domain. The issue is not that the public key is exposed. It's already exposed. To hide the function where you are actually using that key, use obfuscation.
You are great 😮😮
Great tutorial..
Thank you! 🙂
I Have followed step, which is given in the medium blog for public key pinning, not working for me. Always getting wrong hash, compared to hash generated from terminal
I’ll try to cover it in detail.
@@iCode_Happy_Coding 😀👍
App in the production if It’s possible to expire the certificate how we could to update it? We need to get the updated certificate through the api?
No, you need to update the app with the new certificate and allow users to forcefully update the app. Thanks
You can build whatever logic you want. You can update the already saved certificate and download it from your custom-made API, save it in the document directory, overwrite the existing one, and then pass the DD path of your local certificate to match the host certificate. Doesn't necessarily always need to update the app. This type of logic only works when you keep your cer in DD path and not in the App bundle.
For App bundle, you need to update the app.
Hi Pallav,
Hope you are doing well !
I would request you to please make a video in Hindi language also.
I try to use a language that is understandable by everyone. I’ll try to add subtitles in Hindi 🙂
Sir where is public key pinning!!!
it doesnt make app secure it just hide app developer and backend problem. allow user to intercept traffic so they can see who is making network calls.
❤🎉🎉
I guess that this method is not working on https protocols right?
It works for HTTPS as well (as I demonstrated in the video). It will not work if SSL pinning would have been done.
👍👍
How to perform obfuscation ???
Great tutorial btw 💗
Glad that you liked the video. Generally it is done by using third parties like Guard Square.
What they are doing internally is very detailed topic that even I'm not 100% aware of. I'll try to learn and cover it in one of my upcoming videos. Thanks for the suggestion 🙂
@@iCode_Happy_Coding Thank you for the reply. And it will be awesome if it is coming in future. And the videos are really of very high quality content. Keep up the good work.
:-)Thank you