iOS Code Snippet SSL Certificate Pinning

Certificate pinning is a security feature. When set, the app will only accept the listed, per-domain, certificates. This is usually not needed as certificates must have a valid certificate chain up to the trusted root.
Starting from iOS 14 it is quite simple to add certificate pinning.
Full information: https://developer.apple.com/news/?id=g9ejcf8y

Steps:

1. Download the intermediate or root certificate PEM file. In Firefox it looks like this:

1632893527520.png

2. Install OpenSSL: https://slproweb.com/products/Win32OpenSSL.html

3. Run: cat ca.pem | openssl x509 -inform pem -noout -outform pem -pubkey | openssl pkey -pubin -inform pem -outform der | openssl dgst -sha256 -binary | openssl enc -base64

4. Add the following code to the main module. Replace the domain and the base64 key.

Example:
B4X:
#PlistExtra: <key>NSAppTransportSecurity</key>
#PlistExtra: <dict>
#PlistExtra:     <key>NSPinnedDomains</key>
#PlistExtra:     <dict>
#PlistExtra:         <key>b4x.com</key>
#PlistExtra:         <dict>
#PlistExtra:             <key>NSIncludesSubdomains</key>
#PlistExtra:             <true/>
#PlistExtra:             <key>NSPinnedCAIdentities</key>
#PlistExtra:             <array>
#PlistExtra:                 <dict>
#PlistExtra:                     <key>SPKI-SHA256-BASE64</key>
#PlistExtra:                     <string>fL2WqC2l5uf2+UsREkC4vpvX1l1w6N47XmmbDTOPHoM=</string>
#PlistExtra:                 </dict>
#PlistExtra:             </array>
#PlistExtra:         </dict>
#PlistExtra:     </dict>
#PlistExtra: </dict>

You can test it by changing the domain to a different one and then make a a request to the new domain.
 
Top