iOSアプリ内で不正なSSL証明書を検知する / SSL Pinning for iOS apps

iOSΞϓϦ಺Ͱෆਖ਼ͳ
SSLূ໌ॻΛݕ஌͢Δ
Keisuke Kobayashi (kobakei)
iOSDC Japan 2018
8/31 (Fri) 14:20~ @Track A

View Slide

ࣗݾ঺հ
• Keisuke Kobayashi
• Twitter: kobakei122
• GitHub: kobakei
• Kyash, Inc
• Android / iOS / Engineering Manager

View Slide

͍ͭ࠷ۙϒϩά͕όζͬͨ

View Slide

View Slide

ΞδΣϯμ
• தؒऀ߈ܸͱ͸
• SSLূ໌ॻͷϐϯཹΊ (SSL Pinning)
• ࣮ࡍͷӡ༻ɾϋϚΓ͕ͪͳ᠘
• ຊ౰ʹϐϯཹΊ͢΂͖͔

View Slide

???ʮαʔόʔͱͷ௨৴͸શ෦
HTTPSԽͯ͠Δ͔Β҆શͰ͠
ΐʂʯ

View Slide

ຊ౰ʹͦ͏Ͱ͔͢ʁ

View Slide

HTTPSԽ͍ͯͯ͠΋ 
ϦεΫ͸ଘࡏ͢Δ
• αʔόʔূ໌ॻݕূͷόΠύεΛ͏͔ͬΓ 
ຊ൪ʹग़ͯ͠͠·͏
• தؒऀ߈ܸ

View Slide

αʔόʔূ໌ॻݕূͷόΠύε
• ओʹ։ൃ࣌ʹࣗݾॺ໊ূ໌ॻΛ࢖͏ͨΊʹݕূΛແޮ
Խ͢Δ͜ͱ͕͋Δ
• #ifdef DEBUG Ͱ։ൃ൛͚ͩόΠύε͢Δ
• ͜Ε͕͏͔ͬΓຊ൪ʹग़ͯ͠·͏ࣄނ
• ແྉ or ͍҆ূ໌ॻ΋͋ΔͷͰɺ։ൃ؀ڥʹ΋ͪΌΜͱ
ͨ͠ূ໌ॻΛஔ͍ͯৗʹόΠύε͠ͳ͍ͷ͕͓͢͢Ί

View Slide

தؒऀ߈ܸ
• 2ऀͷ௨৴ͷؒʹ߈ܸऀ͕հࡏ͢Δ͜ͱͰɺ௨৴ͷ౪
ௌ΍վ͟ΜΛߦ͏߈ܸ
• ӳޠͰ͸ Man in the middle (MITM)
• ࠷΋Ұൠతͳͷ͸ɺෆਖ਼ͳΞΫηεϙΠϯτΛઃஔ͢
Δ͜ͱ
• ྫɿո͍͠Free WiFiʹͭͳ͍ͩΒ৘ใ͕ൈ͔Εͨʂ

View Slide

SSL௨৴
ᶃ઀ଓཁٻ
ΫϥΠΞϯτ αʔόʔ

View Slide

SSL௨৴
ᶃ઀ଓཁٻ
ᶄެ։伴ͷૹ৴

View Slide

SSL௨৴
ᶃ઀ଓཁٻ
ᶄެ։伴ͷૹ৴
ᶅ҉߸Խͨ͠σʔλૹ৴
※ຊདྷ͸ᶄͱᶅͷؒʹڞ௨伴ͷ҉߸Խ͕ೖΓ·͢

View Slide

தؒऀ߈ܸ
ᶃ઀ଓཁٻ
߈ܸऀ

View Slide

தؒऀ߈ܸ
ᶃ઀ଓཁٻ ᶄ઀ଓཁٻ
߈ܸऀ

View Slide

தؒऀ߈ܸ
ᶅެ։伴ૹ৴
߈ܸऀ

View Slide

தؒऀ߈ܸ
ᶅެ։伴ૹ৴
ᶆެ։伴ૹ৴
߈ܸऀ

View Slide

தؒऀ߈ܸ
ᶅެ։伴ૹ৴
ᶆެ։伴ૹ৴
ᶇσʔλૹ৴
߈ܸऀ

View Slide

தؒऀ߈ܸ
ᶅެ։伴ૹ৴
ᶆެ։伴ૹ৴
ᶇσʔλૹ৴
ِͷ伴Ͱ҉߸Խ͞Ε͍ͯΔͷͰ
෮߸Մೳ → ౪ௌ͞ΕΔʂ
߈ܸऀ

View Slide

ิ଍:  
߈ܸऀͷূ໌ॻΛ৴༻ͯ͠͠·͏ʁ
• ϧʔτূ໌ॻΛ୺຤ʹΠϯετʔϧ͍ͯ͠Δ
৔߹
• ߈ܸऀ͕ೝূہ͔Βِ଄ূ໌ॻΛऔಘͨ͠৔
߹
※Ask The SpeakerͰ࣭໰͞ΕͨͷͰ௥ه

View Slide

ิ଍: ِ଄ূ໌ॻͷൃߦͱ͸ʁ
• ೝূہ͕ϋοΩϯά͞Εͨ৔߹ʹෆਖ਼ʹൃߦ
͞ΕΔ͜ͱ͕͋Δ
• ༗໊ͳೝূہͷϋοΩϯάࣄྫ
• 2011: Comodo
• 2011: DigiNotar
※Ask The SpeakerͰ࣭໰͞ΕͨͷͰ௥ه

View Slide

Ҿ༻: http://www.security-next.com/094624

View Slide

Ҿ༻: https://linecorp.com/ja/security/article/135

View Slide

ରࡦ͸Ͱ͖ͳ͍͔ʁ

View Slide

ϐϯཹΊ (SSL Pinning)
• SSLαʔόʔূ໌ॻ͕ΫϥΠΞϯτ͕ظ଴ͯ͠
͍Δ΋ͷͱಉҰ͔Λݕূ͢Δ

View Slide

ϐϯཹΊ
߈ܸऀ
ɹ͕དྷΔ͸ͣʜ

View Slide

ϐϯཹΊ
ᶅެ։伴ૹ৴
߈ܸऀ
ɹ͕དྷΔ͸ͣʜ

View Slide

ϐϯཹΊ
ᶅެ։伴ૹ৴
ᶆެ։伴ૹ৴
߈ܸऀ
ɹ͡Όͳ͍ͧʂ

View Slide

ϐϯཹΊ (SSL Pinning)
• ҎԼͷ2͕ͭ͋Δ
• ূ໌ॻϐϯཹΊ (certiﬁcate pinning)
• ެ։伴ϐϯཹΊ (public key pinning)

View Slide

ͦ΋ͦ΋SSLαʔόʔূ໌ॻͱ͸ʁ
• ެ։伴ͱॴ༗ऀ৘ใΛ΋ͱʹɺ৴པ͞Εͨೝ
ূہ͕ൃߦ͢Δ
• υϝΠϯॴ༗ݖɺاۀͷ࣮ࡏੑͷ֬ೝ

View Slide

ূ໌ॻ or ެ։伴ͷϐϯཹΊ
• ূ໌ॻͷϐϯཹΊ
• SSLαʔόʔূ໌ॻͦͷ΋ͷ͕Ұக͢Δ͔ݕূ
• ߋ৽ස౓͕ߴ͍ = ΞϓϦΛසൟʹߋ৽ඞཁ
• ެ։伴ͷϐϯཹΊ
• ূ໌ॻͷݩʹͳͬͨެ։伴͕Ұக͢Δ͔ݕূ
• ߋ৽ස౓͸௿͍

View Slide

ࢀߟ: Android 7Ҏ߱
• ެࣜͷωοτϫʔΫηΩϡϦςΟߏ੒ػೳ
• ެ։伴ͷϐϯཹΊΛαϙʔτ
• https://developer.android.com/training/
articles/security-conﬁg

View Slide

ࢀߟ: OkHttp
• Square͕։ൃ͢ΔAndroid༻HTTPΫϥΠΞϯτ
• σϑΝΫτελϯμʔυ
• ެ։伴ͷϐϯཹΊͷΈαϙʔτ͍ͯ͠Δ
• “certiﬁcate pinning”ͱυΩϡϝϯτʹ͸͋Δ
͕ɺ಺෦͸ެ։伴ϐϯཹΊ

View Slide

࣮૷ํ๏

View Slide

࣮૷
• ͦΕͧΕͷ௨৴ϥΠϒϥϦ͝ͱʹ঺հ͠·͢
• APIKit
• Alamoﬁre

View Slide

APIKit
• ඪ४ͰϐϯཹΊ͸αϙʔτ͍ͯ͠ͳ͍
• SessionAdapterʹద߹ͨ͠ΫϥεΛ࣮૷͢Δ
͜ͱͰɺ௨৴࣌ͷ֤छϋϯυϥΛΧελϚΠ
ζͰ͖Δ

View Slide

SessionAdapter
public protocol SessionAdapter {
func createTask(with URLRequest: URLRequest, handler: @escaping (Data?,
URLResponse?, Error?) -> Void) -> SessionTask
func getTasks(with handler: @escaping ([SessionTask]) -> Void)
}

View Slide

URLSessionAdapter
• SessionAdapterͷURLSession࣮૷
• URLSessionAdapterͷαϒΫϥεʹɺ 
ϐϯཹΊ༻ͷίʔϧόοΫΛ࣮૷͢Δ

View Slide

URLSessionAdapter
open class URLSessionAdapter: NSObject, SessionAdapter, URLSessionDelegate,
URLSessionTaskDelegate, URLSessionDataDelegate {
open var urlSession: URLSession!
public init(configuration: URLSessionConfiguration) {
super.init()
self.urlSession = URLSession(configuration: configuration, delegate: self,
delegateQueue: nil)
}
open func createTask(with URLRequest: URLRequest, handler: @escaping (Data?,
URLResponse?, Error?) -> Void) -> SessionTask {
...
}
open func getTasks(with handler: @escaping ([SessionTask]) -> Void) {
...
}
...
}

View Slide

MyURLSessionAdapter
• URLSessionAdapterͷαϒΫϥεΛ࡞੒
• ূ໌ॻϐϯཹΊ
• ެ։伴ϐϯཹΊ

View Slide

class MyURLSessionAdapter: URLSessionAdapter {
func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge,
completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) ->
Swift.Void) {
if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
if let serverTrust = challenge.protectionSpace.serverTrust {
var secresult = SecTrustResultType.invalid
let status = SecTrustEvaluate(serverTrust, &secresult)
if errSecSuccess == status {
if let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) {
let serverCertificateData = SecCertificateCopyData(serverCertificate)
let data = CFDataGetBytePtr(serverCertificateData);
let size = CFDataGetLength(serverCertificateData);
let cert1 = NSData(bytes: data, length: size)
let fileDer = Bundle.main.path(forResource: "github", ofType: "der")
if let file = fileDer {
if let cert2 = NSData(contentsOfFile: file) {
if cert1.isEqual(to: cert2 as Data) {
completionHandler(URLSession.AuthChallengeDisposition.useCredential,
URLCredential(trust:serverTrust))
return
}
}
}
}
}
}
}
// Pinning failed
completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil)
}
}

View Slide

Swift.Void) {
return
}
}
}
}
}
}
}
// Pinning failed
}
}
SSLαʔόʔূ໌ॻ

View Slide

Swift.Void) {
return
}
}
}
}
}
}
}
// Pinning failed
}
}
αʔόʔূ໌ॻΛNSDataʹ

View Slide

Swift.Void) {
return
}
}
}
}
}
}
}
// Pinning failed
}
}
ΫϥΠΞϯτͷDERϑΝΠϧ

View Slide

ΫϥΠΞϯτଆͷূ໌ॻ
• OpenSSLͰαʔόʔͱ઀ଓͯ͠ΫϥΠΞϯτ
༻ͷূ໌ॻΛ࡞੒
openssl s_client -connect api.github.com:443 -showcerts
< /dev/null | openssl x509 -outform DER > github.der

View Slide

ϓϩδΣΫτʹ഑ஔ

View Slide

Swift.Void) {
return
}
}
}
}
}
}
}
// Pinning failed
}
}
σʔλΛൺֱ

View Slide

Swift.Void) {
return
}
}
}
}
}
}
}
// Pinning failed
}
}
઀ଓࣦഊ

View Slide

MyURLSessionAdapter
• URLSessionAdapterͷαϒΫϥεΛ࡞੒
• ূ໌ॻϐϯཹΊ
• ެ։伴ϐϯཹΊ

View Slide

let pinnedPublicKeyHash = "y2HhTRXXLdmAF1esYBb/muQUl3BIBdmEB8jUvMrGc28="
Swift.Void) {
let serverPublicKey = SecCertificateCopyPublicKey(serverCertificate)
let serverPublicKeyData: NSData =
SecKeyCopyExternalRepresentation(serverPublicKey!, nil )!
let keyHash = sha256(data: serverPublicKeyData as Data)
if (keyHash == pinnedPublicKeyHash) {
completionHandler(.useCredential, URLCredential(trust:serverTrust))
return
}
}
}
}
}
// Pinning failed
}

View Slide

Swift.Void) {
return
}
}
}
}
}
// Pinning failed
}
ެ։伴ͷSHA256ϋογϡ

View Slide

ϋογϡग़ྗ
#!/bin/bash
certs=`openssl s_client -servername $1 -host $1 -port 443 -showcerts /dev/null | sed -n '/
Certificate chain/,/Server certificate/p'`
rest=$certs
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]]
do
cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
rest=${rest#*-----END CERTIFICATE-----}
echo `echo "$cert" | grep 's:' | sed 's/.*s:$.*$/\1/'`
echo "$cert" | openssl x509 -pubkey -noout |
openssl rsa -pubin -outform der 2>/dev/null |
openssl dgst -sha256 -binary | openssl enc -base64
done
Ҿ༻: https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e

View Slide

Swift.Void) {
return
}
}
}
}
}
// Pinning failed
}
αʔόʔূ໌ॻ

View Slide

Swift.Void) {
return
}
}
}
}
}
// Pinning failed
}
αʔόʔূ໌ॻ͔Β
ެ։伴ΛऔΓग़͢

View Slide

Swift.Void) {
return
}
}
}
}
}
// Pinning failed
}
ެ։伴ͷSHA256ϋογϡ

View Slide

Swift.Void) {
return
}
}
}
}
}
// Pinning failed
}
ެ։伴ϋογϡΛൺֱ

View Slide

ϦΫΤετ
self.adapter = MyURLSessionAdapter(configuration: URLSessionConfiguration.default)
self.session = Session(adapter: adapter)
let request = RateLimitRequest()
self.session.send(request) { result in
switch result {
case .success(let rateLimit):
print("limit: \(rateLimit.limit)")
print("remaining: \(rateLimit.remaining)")
case .failure(let error):
print("error: \(error)")
}
}

View Slide

ϦΫΤετ
switch result {
}
}
MyURLSessionAdapter͔Β
SessionΛ࡞੒

View Slide

ϦΫΤετ
switch result {
}
}
SessionΠϯελϯεΛ࢖ͬͯ 
ϦΫΤετ

View Slide

Alamoﬁre
• ඪ४Ͱαϙʔτ͞Ε͍ͯΔ
• Kyash͸ͬͪ͜

View Slide

SessionManager
override func viewDidLoad() {
super.viewDidLoad()
// ϐϯཹΊ
let serverTrustPolicies: [String: ServerTrustPolicy] = [
"api.github.com": .pinCertificates(
certificates: ServerTrustPolicy.certificates(),
validateCertificateChain: true,
validateHost: true
),
"insecure.expired-apis.com": .disableEvaluation
]
self.sessionManager = SessionManager(
serverTrustPolicyManager: ServerTrustPolicyManager(policies:
serverTrustPolicies)
)
}

View Slide

SessionManager
super.viewDidLoad()
// ϐϯཹΊ
"api.github.com": .pinCertificates(
certificates: ServerTrustPolicy.certificates(),
validateHost: true
),
]
)
}
ূ໌ॻϐϯཹΊ

View Slide

SessionManager
super.viewDidLoad()
// ϐϯཹΊ
"api.github.com": .pinPublicKeys(
publicKeys: ServerTrustPolicy.publicKeys(),
validateHost: true
),
]
)
}
ެ։伴ϐϯཹΊ

View Slide

SessionManager
super.viewDidLoad()
// ϐϯཹΊ
"api.github.com": .pinPublicKeys(
publicKeys: ServerTrustPolicy.publicKeys(),
validateHost: true
),
]
)
}
ϙϦγʔ͔Β
SessionManagerΛ࡞੒

View Slide

ϦΫΤετ
let url = "https://api.github.com/users/kobakei/repos"
sessionManager.request(url, method: .get,
parameters: nil,
encoding: URLEncoding.default,
headers: nil)
.responseString { (response: DataResponse) in
// do something
}
SessionManagerΠϯελϯεΛ࢖ͬͯ
ϦΫΤετ

View Slide

ϐϯཹΊͰ͖ͯΔ͔֬ೝ
• Charles΍mitmproxyΛ࢖ͬͨͱ͖ʹɺ 
௨৴ΤϥʔʹͳΕ͹OK

View Slide

Charles
• ΢Σϒ։ൃऀ༻ͷσόοάϓϩΩγ
• HTTPS௨৴ͷத਎͕ݟ͑Δ
• தؒऀ߈ܸͱಉ͜͡ͱΛ͍ͯ͠Δ
• ϐϯཹΊ͍ͯ͠Δͱ࢖͑ͳ͍
• PC൛/iOS൛͕͋Δ

View Slide

SSL Proxyingແޮ
• HTTPSͳͷͰ௨৴಺༰͕ 
҉߸Խ͞Ε͍ͯΔ

View Slide

SSL Proxying༗ޮ
• ϐϯཹΊ͍ͯ͠ͳ͍৔߹
• ௨৴͸੒ޭ
• JSONؙ͕ݟ͑

View Slide

SSL Proxying༗ޮ
• ϐϯཹΊͨ͠৔߹
• ઀ଓ͕Ωϟϯηϧ͞ΕΔ
• දࣔ

View Slide

։ൃ࣌ʹCharles࢖͑ͳ͍ʁ
• ։ൃ͚࣌ͩϐϯཹΊΛແޮԽ
• ࣄނΓ΍͍͢ͷͰݸਓతʹ͸Φεεϝ͠ͳ͍
• ผ్ϥΠϒϥϦΛೖΕΔ
• Flipboard/FLEX
• Facebook/Flipper (Sonar)

View Slide

SSLαʔόʔূ໌ॻͷӡ༻

View Slide

SSLαʔόʔূ໌ॻͷӡ༻
• αʔόʔνʔϜʢ·ͨ͸ΠϯϑϥνʔϜʣͱ
࿈ܞͯ͠ߋ৽࡞ۀΛ͢Δ
• SSLαʔόʔূ໌ॻ or ެ։伴ͷߋ৽࣌ʹɺ 
ΫϥΠΞϯτͷڧ੍Ξοϓσʔτ͕ඞཁ
• ๨ΕΔͱݹ͍ΫϥΠΞϯτͰ௨৴͕શ໓͢
Δ

View Slide

ӡ༻ϑϩʔ
αʔόʔ
ΫϥΠΞϯτ
͜͜·Ͱʹ 
ߋ৽͠ͳ͍ͱࢮ͵
ূ໌ॻ
༗ޮظݶ

View Slide

ӡ༻ϑϩʔ
αʔόʔ
ΫϥΠΞϯτ
ূ໌ॻ
༗ޮظݶ
৽͍͠
ূ໌ॻʹ
ߋ৽

View Slide

ӡ༻ϑϩʔ
αʔόʔ
ΫϥΠΞϯτ
ূ໌ॻ
༗ޮظݶ
৽͍͠
ূ໌ॻʹ
ߋ৽
ݹ͍ূ໌ॻͱϐϯཹΊ͍ͯ͠ΔͷͰ 
઀ଓͰ͖ͳ͘ͳΔ

View Slide

ӡ༻ϑϩʔ
αʔόʔ
ΫϥΠΞϯτ
ূ໌ॻ
༗ޮظݶ
৽چͷূ໌ॻʹରԠͨ͠ 
όʔδϣϯ΁Ξοϓσʔτ
৽ΞϓϦ
چΞϓϦ

View Slide

ӡ༻ϑϩʔ
αʔόʔ
ΫϥΠΞϯτ
ূ໌ॻ
༗ޮظݶ
ڧ੍ΞοϓσʔτͰ
৽ΞϓϦʹ༠ಋ
৽ΞϓϦ
چΞϓϦ

View Slide

ϋϚΓ͕ͪͳ᠘
• ڧ੍Ξοϓσʔτͷ࣮૷ํ๏

View Slide

Α͋͘Δڧ੍Ξοϓσʔτ
• ϦΫΤετͷϔομʔʹΞϓϦͷόʔδϣϯ
Λ٧ΊΔ
• αʔόʔͰϔομʔ͔Βݹ͍ΫϥΠΞϯτ͔
൑ఆ͠ɺݹ͍ΫϥΠΞϯτͷͱ͖ʹΤϥʔΛ
ฦ͢

View Slide

Կ͕໰୊͔ʁ
• ϐϯཹΊΛ࣮૷͢ΔͱɺϦΫΤετͷલʹ઀
ଓ͕Ωϟϯηϧ͞ΕΔ
• ͭ·Γαʔόʔ͔Βڧ੍ΞοϓσʔτͷΤϥ
ʔ͕ฦͬͯ͜ͳ͍

View Slide

ճආࡦ
• ڧ੍ΞοϓσʔτͷνΣοΫAPIΛ࡞੒͠ɺ 
ϐϯཹΊର৅Ͱ͸ͳ͍ผͷϗετʹஔ͘
• ผͷϗετΛཱͯΔʢαϒυϝΠϯͰΑ͍ʣ
• Firebaseͱ͔Ͱ୅༻͢Δ

View Slide

ຊ౰ʹϐϯཹΊͬͯඞཁʁ

View Slide

ຊ౰ʹϐϯཹΊ͢΂͖͔ʁ
• ࣄۀɾϓϩμΫτʹΑΔ
• Ұ཯ʹ͠ͳ͍ͱ͍͚ͳ͍ʗ͠ͳͯ͘΋͍͍ͱ
͸ݴ͑ͳ͍
• αʔόʔ & ΫϥΠΞϯτશମͰ҆શΛ୲อ͢
Δ
• ӡ༻ίετͱϦεΫͷόϥϯε

View Slide

Jailbreak
• Jailbreak͞Εͨ୺຤Ͱ͸ϐϯཹΊΛഁΕΔ
• ϐϯཹΊ͢Δ৔߹ɺJailbreak͞Εͨ୺຤΋஄
͘΂͖͔ʁ

View Slide

େࣄͳ͜ͱ
• ࣗ෼Ͱ൑அ͠ͳ͍͜ͱʂ
• ηΩϡϦςΟΤϯδχΞʹ૬ஊ͠Α͏

View Slide

ଞࣾ͸ϐϯཹΊ͍ͯ͠Δ͔ʁ
• CharlesͰ֬ೝͰ͖Δ
• Twitter͸ϐϯཹΊ͍ͯ͠Δ
• ւ֎ͷۜߦ͸΄ͱΜͲ͍ͯ͠ΔʢΒ͍͠ʣ
• ೔ຊͷۜߦ΍FinTechΞϓϦ͸͋·Γ΍ͬͯͳ͍ʁ
• গͳ͘ͱ΋ࣗ෼͕ΞΧ΢ϯτΛ͍࣋ͬͯΔͱ͜Ζ͸…

View Slide

·ͱΊ
• தؒऀ߈ܸରࡦͱͯ͠ɺSSLূ໌ॻͷϐϯཹΊ
ͷ࣮૷ํ๏Λ঺հ͠·ͨ͠
• ࣄۀϦεΫͱӡ༻ίετΛߟྀͯ͠ɺηΩϡ
ϦςΟͷઐ໳ՈͱҰॹʹ΍Δɾ΍Βͳ͍Λ൑
அ͠·͠ΐ͏

View Slide

ࢀߟϦϯΫ
• How to make your iOS apps more secure with SSL pinning
• https://infinum.co/the-capsized-eight/how-to-make-your-ios-apps-more-secure-with-ssl-pinning
• iOS certificate pinning with Swift and NSURLSession | StackOverflow
• https://stackoverflow.com/questions/34223291/ios-certificate-pinning-with-swift-and-nsurlsession
• Difference between Certificate pinning and public key pinning
• https://security.stackexchange.com/questions/85209/difference-between-certificate-pinning-and-public-key-
pinning
• Why is SSL certificate pinning required?
• https://stackoverflow.com/questions/45699036/why-is-ssl-certificate-pinning-required
• iOSΞϓϦͷηΩϡΞίʔσΟϯάೖ໳
• https://www.jssec.org/dl/20160323_Ikuya_Fukumoto.pdf
• LAC ηΩϡϦςΟ਍அϨϙʔτ

View Slide

Thanks!

View Slide

iOSアプリ内で不正なSSL証明書を検知する / SSL Pinning for iOS apps

iOSアプリ内で不正なSSL証明書を検知する / SSL Pinning for iOS apps

Keisuke Kobayashi

More Decks by Keisuke Kobayashi

Other Decks in Programming

Featured

Transcript