Ultimate Guide To Perform SSL Pinning In iOS Apps

Did you know that over 70% of mobile apps contain at least one advanced mobile security vulnerability? This alarming statistic highlights the importance of securing your mobile applications, and SSL pinning is one effective method to do so.

SSL, or Secure Socket Layer, is a protocol that encrypts data between a client and a server to ensure secure communication. However, SSL is not totally foolproof, so it is still susceptible to attacks such as Man-in-the-Middle (MiTM) attacks.

This is where SSL pinning becomes helpful. When this technique is implemented, the app is configured to only trust specific SSL certificates or public keys, and any other certificates or keys are blocked.

This helps to prevent man-in-the-middle attacks and ensures that the app only communicates with trusted servers. This guide dives deeper into the concept of SSL pinning, and how you can implement it in your iOS app among other basics.

What is SSL on iPhone?

SSL is a critical component of secure online communication. When it comes to iOS App Security, SSL helps secure the transmission of data between the iPhone and the servers it connects to.

You might think, “Okay, so SSL is important, but what’s the big deal with SSL on iPhone?” Well, here’s the thing – iPhones and other mobile devices are increasingly becoming the primary way people access the internet and mobile apps.

As of February 2023, more than half of all web visits were from mobile devices, with 52.08% of total web visits being mobile and 47.92% from desktops. As a result, your website or mobile app must be equipped with SSL to ensure the security and privacy of your users.

Now, you may have a question: “Which one to choose from? The answer is low priced or cheap SSL certificate. Nevertheless, what about cheap SSL? Does it offer the same level of security as more expensive options?”

The short answer is: Yes! Cheap SSL certificates can provide the same level of security as their more expensive counterparts. The key factor to consider is the level of encryption that the SSL certificate provides.

Really, provided that the certificate offers strong encryption, it doesn’t matter whether it’s cheap or expensive. In fact, many popular SSL providers offer affordable SSL certificates that provide strong encryption.

This makes it easy and cost-effective for website owners and app developers to implement SSL on their websites and mobile applications. So, whether you’re using a cheap or expensive SSL certificate, the most important thing is to ensure that it provides strong encryption to secure data transmission between your iPhone and the servers it connects to.

What is SSL Pinning?

SSL pinning is a technique that ensures that a mobile app only communicates with a specific server and not any other server. When a mobile app communicates with a server over SSL, it checks the server’s SSL certificate to verify its authenticity.

This check is done by the operating system’s built-in certificate trust store, which contains a list of trusted root certificates from reputable Certificate Authorities (CAs). However, this check alone is not sufficient to prevent MiTM attacks.

Motivated attackers can always use fake SSL certificates to impersonate the server and intercept the data transmitted between the client and the server. This is where SSL pinning comes in.

SSL pinning involves associating a specific SSL certificate with a particular domain or IP address. Once this association is established, the app will only trust SSL certificates that match the associated certificate, thus preventing MiTM attacks.

SSL pinning may be particularly important if your mobile app transmits sensitive information like financial or personal data. It provides an additional layer of security, ensuring that the app only communicates with the intended server and not any other server.

Types of SSL Certificates Pinning Method

As earlier explained, SSL pinning is important for iOS app security because it ensures the app only communicates with the trusted server, to significantly reduce the risks of man-in-the-middle attacks. Without SSL pinning, an attacker could use a rogue certificate to intercept and modify communication between the app and server, potentially compromising sensitive user information. Now, there are two main types of SSL certificate pinning: embedding the certificate or the public key.

·        Embedding the Certificate

This method involves hard-coding the server’s SSL certificate directly into the application or client. The application then verifies that the certificate presented during the SSL/TLS handshake matches the embedded certificate.

·        Embedding the Public Key

This method involves embedding the public key of the SSL certificate into the application or client. During the SSL/TLS handshake, the server presents its SSL certificate. The application then verifies that the public key in the certificate matches the embedded public key.

Note that there are three types of certificates used in SSL pinning methods. These include:

  1. Leaf Certificate: The leaf certificate, also known as the end-entity certificate, is issued to the specific domain or subdomain that the client is connecting to. It contains the public key, identity information, and other attributes of the domain or subdomain. When implementing SSL pinning with a leaf certificate, if the pinned certificate is expired or broken, it will disrupt the application until it’s updated. Therefore, leaf certificates have a significantly shorter expiration time than intermediate and root certificates.
  2. Intermediate Certificate: The intermediate certificate, also known as the chain certificate, is issued by a Certificate Authority (CA) and is used to establish trust between the leaf certificate and the root certificate. When implementing SSL pinning with an intermediate certificate, any changes to the leaf certificate will not affect the application as long as the certificate comes from the same provider. However, trust in the CA is required to ensure the security of the connection.
  3. Root Certificate: The root certificate is issued and signed by a trusted CA. If the certificate presented during validation does not match, it checks the issuing CA to see who was authorized until it reaches a trusted CA at the top of the chain. The root certificate contains the CA’s public key and identity information and is used to verify the authenticity of the intermediate certificate. When implementing SSL pinning with a root certificate, the highest level of trust is established, ensuring that communication is secure.

How to Implement SSL Pinning in Your iOS App

Implementing SSL pinning in your iOS app may seem frustrating. Still, nonetheless, it is an essential step.

This is especially true if you care about your iOS app security and the safety of the data your app users trust you with. Here are two methods to implement SSL pinning in your iOS app:

·        Using NSURL Session

In this method, the client requests the server for their credentials during the authentication process. The server’s SSL certificate is then compared with those saved in the app bundle, and if it matches, the authentication is granted.

All the checks are done manually in this method to implement SSL pinning. To implement SSL pinning using NSURLSession, you’ll first need to initiate an NSURLSession object.

Then, you can use the ‘dataTaskWithURL:completionHandler:’ method for the SSL pinning test. During the test, the SSL certificate is checked against the pinned certificate or public key, and the connection is only established if the test is successful.

·        Using Alamofire Certificate Pinning

Alamofire is a popular HTTP networking library in Swift used for iOS native development. It comes with built-in functionality for SSL pinning.

Alamofire has the ServerTrustPolicy.certificates(bundle:) method, which returns all the certificates within the bundle. This approach requires pinning only the pre-defined domains instead of all, providing more flexibility in pinning certificates.

To implement SSL pinning using Alamofire, you can use the validate() method with a ServerTrustPolicy object. This method checks the server’s SSL certificate against the pinned certificate or public key and only establishes a connection if the test is successful.

iOS SSL Pinning: FAQs

What is the difference between certificate pinning and public key pinning?

Certificate pinning involves verifying the server's SSL certificate against a specific, pre-defined certificate or set of certificates. On the other hand, public key pinning involves verifying the server's SSL certificate against a specific public key or set of public keys

How do I update the pinned SSL certificate in my iOS app?

Updating the pinned SSL certificate in your iOS app involves updating the certificate or public key in the app bundle and releasing an updated version of the app. Note that if the pinned certificate or public key is expired or invalid, it will disrupt the application until it's updated. It's recommended to set an appropriate expiration time for the pinned certificate or public key and have a process to update the certificate when necessary.

What are the potential drawbacks of SSL pinning in iOS apps?

While SSL pinning provides an added layer of security to iOS apps, there are some potential drawbacks. One potential drawback is the increased complexity of implementing SSL pinning in the app, which can result in more development time and maintenance. Another potential drawback is the potential for false positives if the pinned certificate or public key is not updated on time or if the server's SSL certificate changes unexpectedly.