search

datatheorem / TrustKit

Easy SSL pinning validation and reporting for iOS, macOS, tvOS and watchOS.
MIT License
2.01k stars 362 forks source link

SSL Pinning not working #242

Closed annathomasQB closed 3 years ago

annathomasQB commented 3 years ago

Hi,

Please help me out.

I'm following the docs and have implemented SSLPinning with the following parameters. But still when I check using Burp Suite trusted certificate in my phone, the app is still loading. If SSL Pinning is in place it should throw error right ? I'm not sure what I've done wrong.

Here's my code inside Security.swift : 

class func startSSLPinning() {
        let trustKitConfig = [
            kTSKSwizzleNetworkDelegates: false,
            kTSKPinnedDomains: [
                "CLIENT_DOMAIN_NAME": [
                    kTSKIncludeSubdomains: true,
                    kTSKEnforcePinning: true,
                    kTSKPublicKeyHashes: [
                       publickKeyHash1,
                        backupKeyHash
                    ],]]] as [String : Any]

        TrustKit.initSharedInstance(withConfiguration:trustKitConfig)
    }

In my AppDelegate didFinishLaunchingWithOptions :

Security.startSSLPinning()

In my network layer, I'm implementing the pinning validator code as per the documentation inside didReceiveChallenge. This method is visible inside a eventMonitor type class of Alamofire.

  final class Logger: EventMonitor {
        func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
            if TrustKit.sharedInstance().pinningValidator.handle(challenge, completionHandler: completionHandler) == false {
                completionHandler(.performDefaultHandling, nil)
            }
        }
}

and my session is defined so :

let session = Session(eventMonitors: [ Logger() ])

I know something is missing, but not exactly sure what. It could be some issue with delegate not getting set right, or I need to implement more methods? Please help.

annathomasQB commented 3 years ago

I was able to resolve this issue by creating a customSessionDelegate class for SessionDelegate and overriding the delegate function like this : 

class CustomSessionDelegate: SessionDelegate {

    override func urlSession(_ session: URLSession,
                         task: URLSessionTask,
                         didReceive challenge: URLAuthenticationChallenge,
                         completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
         // Call into TrustKit here to do pinning validation
         if TrustKit.sharedInstance().pinningValidator.handle(challenge, completionHandler: completionHandler) == false {
             // TrustKit did not handle this challenge: perhaps it was not for server trust
             // or the domain was not pinned. Fall back to the default behavior
             completionHandler(.performDefaultHandling, nil)
         }
     }
}

and then assigned this CustomSessionDelegate as my sessionDelegate when creating the session :

let session = Session(delegate:CustomSessionDelegate(), eventMonitors: [ Logger() ])

anishtr4 commented 3 years ago

@annathomasQB Would you mind converting the above override method in objective c, I am not a native guy so help would much appreciated.

annathomasQB commented 3 years ago

@anishtr4 The objective C equivalent for this method is listed at the bottom of Sample Usage of TrustKit. You just need to add the override button if you're planning on adding the CustomSessionDelegate class.