O'Reilly logo

Hacking and Securing iOS Applications by Jonathan Zdziarski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Attacking SSL

SSL is one of the digital world’s most important forms of secure encryption. Countless transactions are performed daily over public networks with banks, online merchants, and other financial institutions. SSL incorporates a public key infrastructure (PKI) to deliver strong encryption and prevent data from being intercepted by third parties. Although SSL has proven quite sound, a majority of its attacks have originated from the user interface failing to alert the user when the SSL session isn’t properly validated.

SSLStrip

SSLStrip is a penetration-testing tool written by Moxie MarlinSpike of Thought Crime at http://www.thoughtcrime.org. SSLStrip attempts to intercept HTTPS traffic by using a man-in-the-middle (MITM) attack to strip the SSL from a connection using a 302 redirect. If the application creating the client-side SSL connection does not properly validate its SSL session, the SSL can be stripped from the connection, exposing unencrypted data that can then be intercepted. When data is being redirected transparently to a proxy server, as you’ve learned how to do in the last section, this type of attack can be easy to pull off.

Unlike web browsers, applications don’t reflect the status of the SSL connection in the user interface (unless they’re loading part of the application as a web page). As a result, many of the common signs of traffic tampering aren’t as evident, as the application itself uses the secure connection behind the scenes. When using a web browser, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required