{"id":58201,"date":"2023-09-13T13:24:32","date_gmt":"2023-09-13T07:54:32","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=58201"},"modified":"2023-09-28T13:37:19","modified_gmt":"2023-09-28T08:07:19","slug":"prevent-mitm-attack-by-ssl-pinning-urlsession","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/prevent-mitm-attack-by-ssl-pinning-urlsession\/","title":{"rendered":"Prevent MITM Attack by SSL Pinning (URLSession)"},"content":{"rendered":"

What is an MITM Attack?<\/strong><\/h2>\n

An MITM is a form of cyber attack where a malicious individual manipulates two users to access data that two parties are trying to deliver to each other. A malicious hacker, without being recognized hacks the intended data that are meant to be sent to a particular person. In certain aspects, like MITM, MitM, MiM, or MIM, MITM attacks can be referred to.<\/span><\/p>\n

Simply put, an MITM attack occurs when an attacker puts himself between a client and a webpage.<\/span><\/p>\n

How does MITM work?<\/strong><\/h2>\n

Hackers use MITM attacks to access personal information or anything confidential by pretending known users or webpages. They basically spy on users’ private meetings or confidential data and extract useful information.<\/span><\/p>\n

Real-life Instances of MITM Attack\u00a0<\/strong><\/h2>\n

\"\"<\/a><\/p>\n


\nHow can we prevent MITM attacks with SSL Pinning?<\/strong><\/h2>\n

I<\/span>n iOS we retrieve data from the server to use in the application, and then we work with this functionality in the application. While fetching these data from the server Transport Layer Security protocol is used to provide secure communication between each other. Apps don\u2019t know which certificates are to be trusted rather they use certificates that iOS contains\u00a0<\/span><\/p>\n

Let’s start with installing the certificate:<\/strong><\/h3>\n

Here we need to download the certificate from the server, For that, we need to follow these steps:<\/p>\n

    \n
  1. First, you need to ask for the certificate from the Backend People which they are using at their end.<\/span><\/li>\n
  2. If it is a Public API like an open URL: for example:\u00a0 <\/span>https:\/\/datausa.io<\/span><\/a> click on this link.\u00a0<\/span><\/li>\n
  3. You will find a lock icon on the left when the connection is established with the server.<\/span><\/li>\n<\/ol>\n

    \"\"<\/a><\/span><\/p>\n

    On clicking on this icon, you will find a popup showing <\/span><\/p>\n

    \u00a0 \"\"<\/a><\/span><\/p>\n

    On Clicking Show Certificate, you will see:<\/span><\/p>\n

    \"\"<\/a>\u00a0<\/a><\/p>\n

    \u00a0Just drag and drop this certificate in your project bundle<\/span><\/p>\n

      \n
    1. The certificate name will be like: <\/span>sni.cloudflaressl.com.cer<\/b>, you can edit the certificate name.<\/span><\/li>\n<\/ol>\n

      Now we have completed all the preparations for the implementation of SSL pinning<\/span><\/em><\/p>\n

      Implementing SSL Pinning using URL Session:<\/strong><\/h3>\n

      Now let’s set our Network Manager by URLSession for calling APIs<\/span><\/p>\n

      NetworkManager.swift<\/strong><\/em><\/p>\n

      \"\"<\/a><\/p>\n

      We need to do two things:\u00a0<\/span><\/p>\n

        \n
      1. We have a local certificate in our bundle.<\/span><\/li>\n
      2. We will create a certificate from the host.<\/span><\/li>\n
      3. Now, we will compare both certificates by converting them into <\/span>Data<\/b>, and if the data is synced from both certificates, then we will say that Certificate Pinning is successful; otherwise, it has failed.<\/span><\/li>\n<\/ol>\n

        Now for certificate pinning:<\/span><\/p>\n

        1. We have to create a<\/span> Server Trust<\/b> first. Now, what does the Server Trust mean? – Server Trust means that your computer \/ Mobile app is sending out packet addresses to other computers (like server) IP addresses, but it is not receiving any response packet from that server.\u00a0<\/span><\/p>\n

        \"\"<\/a><\/span><\/p>\n

        2. Now check for the SSL policy for the domain.<\/p>\n

        \"\"<\/a><\/p>\n

        3. Evaluate the certificate using the policy as well as Server Trust<\/p>\n

        \"\"<\/a><\/p>\n

        4. Convert the Local and Remote certificates into data<\/span><\/p>\n

        \"\"<\/a><\/span><\/p>\n

        5. Compare both the certificates:<\/span><\/p>\n

        \"\"<\/a><\/span><\/p>\n

        \/\/MARK: URLSessionDelegate<\/b><\/p>\n

        NetworkManager.swift<\/strong><\/em><\/p>\n

        \"\"<\/a><\/p>\n

        Now if we are fetching any details from the server, and any MITM attack occurs, it will cancel the authentication challenge and return nothing, which means Man in the Middle will not find any request from the network. Show an error something like this one:<\/span><\/p>\n

        \"\"<\/a><\/p>\n

        Detection of Man-in-the-middle attack<\/strong><\/h2>\n

        It is very hard to identify an MITM attack, so we have to take appropriate measures to monitor and identify the attack before it’s too late. The main technique to identify a potential attack is to always search for adequate page authorization and introduce some kind of temporary authorization; however, these will need forensic investigation and will be a lengthy process.<\/span><\/p>\n

        So instead of identifying an attack, we should take precautionary measures to avoid it, and for this, one should always be mindful of his surfing habits and beforehand identify the possible hazardous environment.<\/span><\/p>\n

        Preventions of Man-in-the-middle Attack:<\/strong><\/h3>\n
          \n
        1. Wireless access point (WAP) Encryption: <\/b>Creating a strong protection feature on access points eliminates legitimate access just from being closer to accessing the system. A vulnerable protection system will enable an intruder to brute-force his way into the system and start attacking the MITM.<\/li>\n<\/ol>\n
            \n
          1. Use a VPN<\/b><\/li>\n<\/ol>\n