Security in iOS Apps: Transport Layer

4 min readOct 29, 2020

SSL Pinning :-

When a mobile app communicates with a server, it uses SSL pinning technique for protecting the transmitted data against tampering and eavesdropping. On a default mode, the SSL implementations used in the apps trust any server having certificates trusted by an operating system’s trust store.

With SSL pinning, the app is devised to reject every but one or limited predefined certificates. When the app connects with a server, it compares the certificate with the pinned certificate. Only when there is a match, the server is trusted and SSL connection gets established. This is what makes SSL Pinning one of the best iOS app security tips that developers follow.

Why Do We Need SSL Pinning in iOS?

The task of setting and maintaining the SSL session is given to a system library. It means that the app which tries to establish a connection doesn’t determine which certificate must be trusted and which shouldn’t be.

A hacker who is able to generate a self-signed certificate and add it in the operating system’s trust store is able to set up a MITM attack against apps that use a SSL. This allows them to do things that works opposite of the iOS application security tips:

Read and modify all the SSL sessions and use the access for reverse engineering the app protocol or for extracting the API keys from request.
They can also hinder the SSL sessions through tricking users into installing trusted CA through malicious web pages. The root CAs which are trusted by the devices can also get compromised and can be used for generating certificates.

By lowering the number of trusted iOS SSL certificates, the apps are protected from such remote attacks. It also helps eliminate the occurrence of reverse engineering — one of the biggest roadblocks in iOS app security testing.

How does SSL work?

SSL Pinning is one of the most common iOS app security tips. But in order to understand what it means, you will first have to know how SSL works.

A browser attempts to connect with a website which is secured with a SSL. The browser then requests the web server to identify itself.
Web server then sends the browser its SSL certificate copy.
The browser checks if the SSL certificate must be trusted. If it can be, a message is sent to the web server.
Web server then sends back an acknowledgement to begin the SSL encrypted session.
The encrypted data is then finally shared between the browser and web server.

Types of SSL Certificates Pinning Implementation:-

The implementation of SSL pinning gives you two options –

Pin the certificate — you can download the server’s certificate and bundle them in the app. At the runtime, the app compares the server certificate to ones that you have embedded.
Pin the public key — you can retrieve the public key of certificate in the code as string. At the runtime, the application compared the certificate’s public key to one which is hard-coded in the code.

Making a choice from between the two SSL pinning methods is dependent on your server configuration and individual needs. When you choose the first option, you will have to upload the app when the server changes its certificate or it would stop working. When choosing the second option, you might violate the key rotation policy for the public key won’t change.

Let’s now look into how to make these methods the iOS app security best practices.

How to Implement SSL Pinning in your iOS App:-

1. NSURLSession:-

In case of NSURLSession, the primary method for handling SSL pinning is URLSession:didReceiveChallenge:completionHandler:delegate. Developers will have to set the class to conform URLSessionDelegate and paste this function to the class:

The function would “requests credentials from the delegate in response to an authentication request from the remote server.” The developers will then compare certificates from the server with one saved in the app bundle. If the two certificates are found identical, authentication will let it pass and the client will be able to connect to the server.