How to use native SSL Pinning

[onmyway133]

From iOS 14, we can do Identity Pinning: How to configure server certificates for your app right from Info.plist

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSPinnedDomains</key>
        <dict>
            <key>awesome.apps.example.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSPinnedCAIdentities</key>
                <array>
                    <dict>
                        <key>SPKI-SHA256-BASE64</key>
                        <string>12312312312xasdas123asdasdasdasdsad</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </dict>

There are a few drawbacks

• The subdomains works for multiple part host as well, as long as it is 1 subdomain level
• Need to duplicate values in each Info.plist
• Need to duplicate values if the host differs
• Can't use User Defined Settings variables in localized Info.plist
• Does not work for CFNetwork, WKWebView

Read more

• https://github.com/datatheorem/TrustKit
• https://www.appknox.com/blog/bypass-ssl-pinning-in-ios-app
• https://blog.eidinger.info/infoplist-based-certificate-pinning-on-ios
• https://www.amazontrust.com/repository/