Search Your Question

What is SSL Pinning and How to implement it?

SSL stands for Secure Socket Layer, which is a protocol for creating an encrypted connection between client and server. It ensures that all data pass in network will be private and integral.

How SSL works? When client establishes the connection with server (called SSL handshake):

  1. Client connects to server and requests server identify itself.
  2. Server sends certificate to client (include public key)
  3. Client checks if that certificate is valid. If it is, client creates a symmetric key (session key), encrypts with public key, then sends back to server
  4. Server receives encrypted symmetric key, decrypts by its private key, then sends acknowledge packet to client
  5. Client receives ACK and starts the session

Using SSL, the client will allow the connection only from trusted sources that have the valid certificate. And it looks good for most cases. But what if someone stands between client and server, and acts like they are the real server? Let's call client is C, server is S and the attacker is A.

In step 1, instead of sending packet to S, A can catch the packet and pretend it as S. What if instead of receiving certificate from S, client C will receive fake certificate from A and believe it's valid. A can make C think that it is communicating with S, but actually all connection flows will be directed to attacker A.

Hence, SSL pinning can be the solution to prevent Man-In-The-Middle (MITM) attack. SSL pinning will ensure that client connect with designated server. The main key of SSL pinning that server certificate will be saved in app bundle. Then, when client receives certificate from server, it then compares 2 certificates to make sure that they are the same before establishing the connection.


For NSURLSession, the main method to handle SSL pinning is URLSession:didReceiveChallenge:completionHandler:delegate. Set your class to conform URLSessionDelegate and paste this function to your class:

func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
    if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) {
        if let serverTrust = challenge.protectionSpace.serverTrust {
            var secresult = SecTrustResultType.invalid
            let status = SecTrustEvaluate(serverTrust, &secresult)
            if (errSecSuccess == status) {
                if let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) {
                    let serverCertificateData = SecCertificateCopyData(serverCertificate)
                    let data = CFDataGetBytePtr(serverCertificateData);
                    let size = CFDataGetLength(serverCertificateData);
                    let cert1 = NSData(bytes: data, length: size)
                    let file_der = Bundle.main.path(forResource: "name-of-cert-file", ofType: "cer")
                    if let file = file_der {
                        if let cert2 = NSData(contentsOfFile: file) {
                            if cert1.isEqual(to: cert2 as Data) {
                                completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust:serverTrust))
    // Pinning failed
    completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil)

This function will “requests credentials from the delegate in response to an authentication request from the remote server.” We will compare the certificate from server with the one that saved in app bundle. If 2 certificates are identical, the authentication will let it pass and client can connect to server.

Types of SSL Pinning(What to Pin)?

Pin the certificate: You can download the server’s certificate and put this in your app bundle. At runtime, the app compares the server’s certificate to the one you’ve embedded.

One disadvantage of SSL pinning is that you have to save the certificate in the app. Whenever the certificate is updated, we need to release new version of app. But this also leads to another problem: what we do with older version?
  • Maintain the old certificate for a time, until we make sure all users have downloaded new version already.

Pin the public key: You can retrieve the certificate’s public key and include it in your code as a string. At runtime, the app compares the certificate’s public key to the one hard-coded hash string in your code.

No comments:

Post a Comment