Bypass SSL Certificate Pinning In IOS


How to find SSL Pinning is implemented in source code?

By searching for strings like "NSURLConnection", it would show you piece of code with pinning.



Below are the Steps to Intercept the apps on IOS and Bypassing SSL Pinning.

1) Configure the IOS device (Jailbroken) and auditor laptop on same network. Set the proxy settings in IOS device to point to auditor laptop.



2) Then import the Burpsuite CA certificate to IOS device (Best method is to email cert to device). Then install the certificate on device.



3) Then download the latest release of IOS-SSL-KILLSWITCH (i.e. *.deb file) and copy the same to device. Exit the Cydia before installation of Kill switch (otherwise you get space error).



4) After successful installation the IOS SSL Kill switch start appearing under Settings. Toggle the switch will Enable/Disable Pinning.

 



Note: We tested this on Jailbroken IOS 8.1.2 and iOS SSL Kill Switch v0.6

** Update :- Its recommended to use the latest release of iOS SSL Kill Switch 2 by Alban Diquet.

Comments

  1. Cyber security is one of the most important measures that we should consider. Thanks for the great piece of content. The info is great.

    ReplyDelete
  2. Very nice article. I am getting space error while installing. Can you please point 3 in little more detail?

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete

Post a Comment

Popular Posts