Open source tool for deploying SSL public key pinning in iOS, OS X apps

At Black Hat USA 2015, Data Theorem and Yahoo! will be unveiling TrustKit, a new, open source security toolkit that helps developers easily include complex mobile security functionality, known as SSL pinning, on any iOS or OS X app.

SSL pinning is a step developers can take to ensure eavesdropping cannot occur on data connections on their mobile apps, by making sure the client checks the server’s certificate against a known copy of that certificate. While the concept is well known, it has traditionally been difficult and time-consuming to implement.

With the release of iOS 8, Apple relaxed rules regarding how code can be packaged within an iOS App. Previously, all code had to be statically linked into the apps binary. Apple is now allowing third-party frameworks and libraries to be embedded in an apps package and dynamically loaded at runtime as needed. This provides new opportunities to mobile and security engineers to improve the security of apps during development. Developers can now take advantage of this functionality, and utilize a new open-source library that leverages these mechanisms.

TrustKit provides “drag and drop” SSL public key pinning and can be deployed within an app in a matter of minutes, without having to modify the app’s source code.

Its key features include:

  • Easy to use SSL pinning: TrustKit can be deployed in minutes in any iOS or OS X App, without even modifying the app’s source code.
  • API-independent pinning by directly hooking into Apple’s SecureTransport. TrustKit works on NSURLSession, UIWebView, NSStream, AFNetworking, etc. all the way down to BSD sockets. All your app’s connections are protected.
  • Mechanism to report pinning failures, which allows apps to send reports when an unexpected certificate chain is detected, similarly to the report-uri directive described in the HTTP Public Key Pinning specification.

The toolkit will be made available on GitHub after the Black Hat presentation scheduled for August 6th.




Share this