In Security

Note: this article was originally posted on iSEC Partners’ blog.

iOS Blackbox testing VS Certificate pinning

When performing a black box assessment of an iOS App, one of the main tasks of the tester is to intercept the application’s network communications using a proxy. This gives the tester the ability to see what is happening behind the scenes and how the application and the server communicate with each other.

Successfully proxying the application’s traffic can be challenging when the application uses SSL combined with certificate pinning in order to validate the server’s identity. Without access to the application’s source code to manually disable certificate validation, the tester is left with no simple options to intercept the application’s traffic.

iOS SSL Kill Switch

At iSEC Partners, I’ve been working on a tool to simplify the process of bypassing certificate pinning when performing black box testing of iOS Apps: iOS SSL Kill Switch. This tool hooks specific SSL functions at runtime that perform certificate validation. Using Cydia, it can easily be deployed on a jailbroken device, allowing the tester to disable certificate validation for any app running on that device in a matter of minutes.

The tool was successfully tested against the Twitter, Square and card.io iOS applications which all use certificate pinning to secure their network traffic.

Project page

The iOS SSL Kill Switch was presented at BlackHat Vegas 2012 along with a similar tool for Android. It is available on the GitHub project page.