In Security

Version 0.4 of the iOS SSL Killswitch now available.

The iOS SSL Kill Switch is a tool to disable SSL certificate validation - including certificate pinning - within iOS Apps in order to facilitate blackbox testing.

In addition to patching NSURLConnection at runtime, this new release implements another strategy to disable certificate validation: it modifies the SecTrustEvaluate() function of the Security Framework in order to make it accept all certificate chains (similar to Intrepidus Group’s trustme tool). Overall, with both patching strategies available (NSURLConnection and SecTrustEvaluate() ), the iOS SSL Kill Switch will successfully disable certificate validation on more iOS applications.

The debian package can be downloaded here. See also:

• Black Hat 2012 Slides
• Github Project Page