Hi I am unable to understand what is not possible. Also you can reset the Charles root certificate in help menu of Charles and it will be created for the next 1 year. Then you need to again install the certificate profile in device and make sure to remove the old one first.
I am using translations, so there may be some misunderstandings. The certificate "charles proxy ca" on the ipad side had already expired. A root reset on the charles side did not change this.
@@mimchu_ hi. After a root reset in Charles, did you again deleted the certificates in iPad and then reinstalled them again and restarted Charles. This is how generally it works for me every time
The series is awesome, thanks for providing such amazing content. Just wondering the ways of storing the keys, for my understanding, storing sensitive keys (hardcoded string) in the project level is not a recommended way. For production level apps that are largely scaled, what are your approaches for storing the keys?
Hi Alwyn, Thanks for checking out the videos. For this particular hardcoded string, since this is a public key and by using this we are generating the hash using the standard header algorithms of RSA or Elliptic Curve Public Key etc. So ultimately it can be generated by anyone since the key is public. If we want to keep any other thing like access tokens, we can choose Keychains. Keeping the secret key etc as hardcoded is probably the best solution. Everything else is more complicated, but not much more secure. If a hardcoded string can be reverse-engineered, other techniques can also be quickly reverse-engineered as well. Best is to keep things simple. Apple provides some level of obfuscation which is not very easy to reverse engineer. Another approach can be making some digest using the current timestamp and mixing some secret key of yours which can be validated at your server end. That digest will be different for all calls and won't be easily recognizable for an intruder. Well, this is my opinion. You can choose to add different layers of security as per your app requirements!
Hi, This has to do something with your site where you have hosted AASA. Possibilities can be anything. May be your site or the address you are accessing is private. Check your appID format. It should be object first and not array. Check you AASA is well made as per apple policies. Check you don’t have multiple AASA. One in hidden .well known directory and one outside on root. You have to debug all these things. There might be more to debug as it depends where your AASA is hosted and your server configurations etc.
Yeah, I forgot to set them which will be used in evaluation. After appending the policy array, you can use SecTrustSetPolicies(serverTrust, policy). Thanks
The drag and drop certificate to the simulator saved me. I was looking for hours on why was traffic being blocked on my simulator. This solved it. Thank you!
We received .pkcs file data from there server A, use this certificate we have to connect to server B with client authentication in macOS application. How to use this certificate without installation the keychain access.
good work, your two explications as certificate or public key is the most simple than in all other guides. and the video version is very simple without frameworks.. except for the sha256 functions.. Good job.
This series of SSL Pinning are brilliant and very precisely explained it has helped me alot in making app more secure. Thank you Rajan. I have one question which was asked me in interview :- if a certificate gets expired, so in this we need to again download those certificates from web and then publish the app on the appstore, but in a large production app how can we validate certificates at runtime without publishing the app on the appstore everytime?
Hi Prateek, Thanks for checking out the videos. Generally, for large scale apps, we use public key pinning and not certificate pinning because, in public key pinning even if the certificate expires and we renew it, the public key remains the same. TrustKit also gives you a facility to add a secondary fallback public key too. Thus avoiding the need to re-publish the application on appstore. If you use certificate pinning, then you need to update your bundle with a latest valid certificate and update the app on appstore before the certificate expires.
Hi Ranjith, Since Alamofire doesn't support Public Key Pinning, the certificate in the bundle will expire after a year. So you must republish with a new certificate before the old one expires. To avoid this, always use Public Key Pinning using URLSession or TrustKit.
For TrustKit to work with AlamoFire, I have to change my whole API structure as we have used Alamofire like this Alamofire.request(URLString, method: httpMethod, parameters: parameters, encoding: JSONEncoding.default, headers: updateHeader).responseJSON So we have not used session. Can anyone help me how to set delegate of this session ?
Hello Rajan, Correct me if I am wrong. Public key pinning does not require certificates to be downloaded and keep it in the project. We just have to extract the public key from the host and use that key in the project.
Correct. Public key pinning don’t require any certificate in app bundle. In case you are using public key pinning with Alamofire, then you need to keep in bundle because of Alamofire’s limitations. Otherwise, using URLSession or TrustKit, doesn’t require certificate in app bundle. You just need to extract the key, keep in project and match with request challenge.
Hi, First, the certificate is public and a public certificate can be used to secure either server-to-client or server-to-server communication. It can be easily extracted for any host. Whenever a request is intercepted, the certification changes. If the client passes the same certificate, it means it is a legitimate request. Second, the public key pinning doesn't even require a certificate in the bundle. The Public Key Pinning video is just next in this series. We can't mix two techniques. Both have their pros and cons. There are always risks involved and SSL Pinning is not a 100% secure mechanism.
Hi Sai, I am not able to understand this. Even if you have refresh and auth token mechanism, the intruder can still see your tokens passed in calls. And if someone is sniffing, you might want to invalidate the call. That’s where SSL pinning comes in.
Super topic you have choosen, great video. Plz adderess my issue iam getting ssl pinning failed. My remoteCertData and localCertData are not matching/equal
Hi Sudhakar, There may be a possibility that you might have downloaded the wrong local certificate. Please recheck. You need to download the last one (leaf one at the bottom)
All the videos in this series are very brilliantly explained.. Thank you so much for creating such content. I was struggling a lot with SSL pinning and finally I found your videos.
Hi Pankaj. No, we don't need the certificate to add in the app bundle. TrustKit works on Public Key Pinning. If you are able to get the public key of your certificate from your security or backend team, you don't need certificate. Certificate is only needed to extract public key. It is not used in code anywhere.
Hi Sir, Thanks for the reply need to know if the certificate from which we have extracted the Public key will be expire still our Public key will work or we need to change the again if the certificate is reissued?
@@pankajchauhan4881 If the certificate is expired and you renew it, the public key remains the same and doesn't change. If you buy a new certificate, the public key will change and you need to change the same in your code as well. So better to renew your expired certificate to keep the public keys same.
hi @rajanmaheshwari While going through swcutil file I’m seeing below: User approval: unspecified Site/Fmwk Approval: approved But after tapping on the link when app is not installed it takes me to AppStore page of app but I installed build from TestFlight and there was no callback into any of the app delegate methods like open url or useractivity delegate. Also is there any particular way to generate the deferred deep link for iOS. Hoping to see ur response.
Hi Pooja. Thanks for checking out the video. There are certain things that still require investigation. 1. What deep deferred link mechanism are you using. (Appsflyer, Firebase, Branch, or something else). How are you generating a deferred deep link? 2. If you are using Firebase, have you enabled allow pasteboard as Firebase uses that for the dynamic deep link. Sometimes firebase dynamic method is not able to parse the link as the link was not properly URL encoded. 3. Is your dynamic links working in debug mode. Like clicking on the link without the app installed. It goes to Appstore and then you install it from Xcode. Check the openUrl method and debug the same. Deep link can also fail if deferred deep link is not properly made. Let me know if you have any questions.
Hi. Thanks for checking out the video. I have added the API end point in the description. Just create your API key from openweathermap site. For iOS, we have .ipa but that won't run on your device as the device requires to be added in developer portal and then attached to provisionings.
Hey Rajan thanks for the detail review. One issue i'm facing though.. im losing internet connectivity as soon as i turn the manual proxy on. When proxy off its working fine. If you could provide any solution it'll be a great help.
Hi. Thanks for checking out the video. I am not very sure about losing the internet. Maybe firewalls in your network are preventing proxy to use the internet. Also do check macOS proxy is unchecked. However, it won't make a difference. Try using Charles in some other network too and see if the same thing happens!
Hi Rajan, Yes I've tried switching to other network and it works fine. Also yes, MacOS proxy doesn't have any effect over it.. not sure why just that network it fails.
May I ask one question? My app link is running fine, except that when my App is not installed on a mobile phone, I am expecting the app link to show a bar displaying link to the App Store to install my App, but it does not happen. What could be the problem? How can I troubleshoot the problem? Thank you
Hi I think you are taking about banners which are shown in your website when app is not installed. Please check the apple doc where is given how to add a script to show a banner
Hi. You have to write a Single/Generic Network Manager in a way that all your managers will be calling that single manager class. You can use base class/subclass concept too. In short, the module managers will call this Single Manager class and this class will be responsible for further validations like SSL pinning or anything else. Generally, we do have only a single Network Manager within the app and we segregate at the module level. You can implement the SSL logic in that single network manager class.
Hi, the commands are in the video itself. I haven’t pasted the same in the description. Will do that shortly. However these are openssl commands which can be found online easily.
Hack games as in? It’s just a network monitoring tool which can help you to consume or ingest wrong data. Rest all checks depend on server. I believe we cannot change the server config files using this
Thank you sir for great explanation. I am getting "Certificate Pinning Completed Successfully"). but {"Success":false,"Message":"API not found","ErrorCode":404}. dont understand why this comes . Better if you could help:
Hi, thanks for checking out the videos. This error certainly is related to the API not working or not found and a 404 code is returned in response. Pinning part is fine and is independent of the error you received
@@rajanmaheshwari : Ok. SSLPinning must be called before any api call?. suppose I have called 4 api in one view controller. then i need to pass 4 url in callanyapi method?Currently I was passing base url in sslpinning method
@@nehanarang2674 you don’t need to call anything. You only need to pass the domain where your apis are hosted. That’s it. And rest the url session delegate will take care. It will return error for all your api calls if pinning fails
@@rajanmaheshwari :Ok. I am doing hte same. SSlPinningManager.shared.callAnyApi(urlString: BASE_URL , isCertificatePinning: false) { (response) in print(response) }. but it gives me the same error as i posted on my first comment