In Security

Version 0.4 of the iOS SSL Killswitch now available.

The iOS SSL Kill Switch is a tool to disable SSL certificate validation - including certificate pinning - within iOS Apps in order to facilitate blackbox testing.

In addition to patching NSURLConnection at runtime, this new release implements another strategy to disable certificate validation: it modifies the SecTrustEvaluate() function of the Security Framework in order to make it accept all certificate chains (similar to Intrepidus Group’s trustme tool). Overall, with both patching strategies available (NSURLConnection and SecTrustEvaluate() ), the iOS SSL Kill Switch will successfully disable certificate validation on more iOS applications.

The debian package can be downloaded here. See also:

• Black Hat 2012 Slides
• Github Project Page

Edit: Since I wrote this post, I’ve released TrustKit, an iOS library for SSL pinning which is much better than the project described here.

SSL Pinning

When an iOS app only needs to communicate to a well-defined set of servers over SSL, the security of the app’s network communications can be improved through SSL pinning. By requiring a specific certificate to be part of the server’s certificate chain, the threat of a rogue CA or a CA compromise is significantly reduced.

To simplify the process of adding this security feature to iOS apps, I released some source code as part of iSEC Partners’ SSL conservatory project. The two source files can easily be added to an existing iOS app and provide a simple API to pin certificates to the domains the app needs to connect to.

The SSLCertificatePinning class

This implementation allows a developer to pin a certificate for any number of domains the application needs to connect to. Specifically, developers can whitelist a certificate that will have to be part of the certificate chain sent back by the server during the SSL handshake. This gives additional flexibility as developers can decide to pin the CA/anchor certificate, the server/leaf certificate, or any intermediate certificate for a given domain. Each option has different advantages and limitations; for example, pinning the server/leaf certificate provides the best security but the certificate is going to change more often than the CA/anchor certificate. A change in the certificate (for example because it expired) will result in the app being unable to connect to the server. When that happens, the new certificate can be pushed to users by releasing a new version of the iOS app.

The SSLCertificatePinning API only exposes two methods and a convenience class:

• +(BOOL)loadSSLPinsFromDERCertificates:(NSDictionary *)certificates

This method takes a dictionary with domain names as keys and DER-encoded certificates as values and stores them in a pre-defined location on the filesystem.

• +(BOOL)verifyPinnedCertificateForTrust:(SecTrustRef)trust andDomain:(NSString *)domain

This method accesses the certificates previously loaded using the loadSSLPinsFromDERCertificates: method and looks in the trust object’s certificate chain for a certificate pinned to the given domain. SecTrustEvaluate() should always be called before this method to ensure that the certificate chain is valid.

The SSLPinnedNSURLConnectionDelegate class

The SSLPinnedNSURLConnectionDelegate class is designed to be subclassed and extended to implement the NSURLConnectionDelegate protocol and be used as a delegate for NSURLConnection objects. This class implements the connection:willSendRequestForAuthenticationChallenge: method so that it automatically validates that the certificate pinned to the domain the NSURLConnection object is accessing is part of the server’s certificate chain.

Cocoa Touch Shortcomings

Specific limitations due to what functions the iOS API exposes to developers and how much freedom they have when dealing with certificate validation prevented me from implementing some of the ideas that I had in mind when I started this project.

Public key pinning

For various reasons, it is actually better to pin a public key to a domain rather than the whole certificate. Unfortunately, public key pinning can only be partially implemented on iOS. While it is possible to extract the public key from a given certificate using a convoluted series of APIs calls (SecTrustCreateWithCertificates() and SecTrustCopyPublicKey()), the anchor certificate for a given certificate chain cannot be accessed. Therefore, as the anchor/CA public key cannot be extracted and validated, only the public key of the leaf or any intermediate certificates can be pinned to a domain.

SSL pinning in webviews

Update: it is actually possible to implement certificate pinning in webviews using the NSURLProtocol class. The initial paragraph about SSL pinning in webviews, which is incorrect, follows:

On iOS, the UIWebView class can be used to directly embed and display web content inside an app. However, as opposed to regular network communication APIs such as NSURLConnection, authentication challenges cannot be reliably handled when using the UIWebView class. Various tricks exist, for example to perform HTTP Basic authentication or to disable certificate validation within a webview through a credential caching mechanism. However, the lack of explicit APIs to configure the webview’s behavior makes it unsuitable for SSL pinning.

Revocation

Revocation checking is needed even when doing certificate pinning. However, there is no way on iOS to configure how revocation should be handled. The default behavior is to only check revocation for EV certificates, and this validation is “best attempt”, meaning that if the OCSP server cannot be reached, the validation will still not fail.

Project Page

The SSL Conservatory on GitHub.

A new version of SSLyze is now available. SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. This new version should be more stable/robust and it also brings new features:

Changelog

• Added support for Server Name Indication; see –sni
• Partial results are returned when the server requires client authentication but no client certificate was provided
• Preliminary IPv6 support
• Various bug fixes and better support of client authentication and HTTPS tunneling

Download

As usual, three packages are available:

• Linux and OS X: SSLyze v0.6 source package here
• Windows 7 and Python 32 bits: SSLyze v0.6 with OpenSSL 1.0.1c here
• Windows 7 and Python 64 bits: SSLyze v0.6 with OpenSSL 1.0.1c here

Version 0.3 of the iOS SSL Killswitch is now available. Most changes for this release are bug fixes and support for iOS 6.

The debian package can be downloaded here. See also:

• Black Hat 2012 Slides
• Github Project Page

The most dangerous code in the world

Stanford just released a whitepaper about the lack of proper SSL certificate validation in client applications: “The most dangerous code in the world: validating SSL certificates in non-browser software”. This papers calls out numerous, popular applications and libraries that do not properly validate certificates, thereby eliminating the confidentiality and integrity guarantees of SSL. According to the paper, one of the root cause of this issue is “badly designed APIs of SSL implementations (such as JSSE, OpenSSL, and GnuTLS) […] which present developers with a confusing array of settings and options”.

The most dangerous API in the world: OpenSSL

Undoubtedly, OpenSSL’s APIs for SSL certificate validation are confusing and poorly documented. Even worse, as opposed to other SSL libraries, OpenSSL does not provide any utility function to perform hostname validation: the library only validates the server’s certificate chain, not the name the certificate was issued for.

Throughout my work as a security consultant, I have seen numerous applications relying on OpenSSL to secure their network connection but failing to properly validate server certificates, resulting in the connections being vulnerable to man-in-the-middle attacks. This has led me to work on a whitepaper to provide application developers with clear and simple guidelines on how to properly perform certificate validation within an SSL client using the OpenSSL library. This whitepaper is now available on GitHub: “Everything You’ve Always Wanted to Know About Certificate Validation With OpenSSL (but Where Afraid to Ask)”.

The SSL Conservatory

This project is part of iSEC Partners’ SSL Conservatory.

Note: this article was originally posted on iSEC Partners’ blog.

iOS Blackbox testing VS Certificate pinning

When performing a black box assessment of an iOS App, one of the main tasks of the tester is to intercept the application’s network communications using a proxy. This gives the tester the ability to see what is happening behind the scenes and how the application and the server communicate with each other.

Successfully proxying the application’s traffic can be challenging when the application uses SSL combined with certificate pinning in order to validate the server’s identity. Without access to the application’s source code to manually disable certificate validation, the tester is left with no simple options to intercept the application’s traffic.

iOS SSL Kill Switch

At iSEC Partners, I’ve been working on a tool to simplify the process of bypassing certificate pinning when performing black box testing of iOS Apps: iOS SSL Kill Switch. This tool hooks specific SSL functions at runtime that perform certificate validation. Using Cydia, it can easily be deployed on a jailbroken device, allowing the tester to disable certificate validation for any app running on that device in a matter of minutes.

The tool was successfully tested against the Twitter, Square and card.io iOS applications which all use certificate pinning to secure their network traffic.

Project page

The iOS SSL Kill Switch was presented at BlackHat Vegas 2012 along with a similar tool for Android. It is available on the GitHub project page.