O'Reilly logo

Hacking and Securing iOS Applications by Jonathan Zdziarski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Attacking Application-Level SSL Validation

Fortunately, by default, SSL validation is turned on in Apple’s SDK. Applications using the standard foundation classes for making web queries will error out when they attempt to fetch data from a site whose SSL certificate doesn’t check out. For example, the NSString class’s stringWithContentsOfURL function will return nil if the remote resource has an invalid or self-signed certificate. The NSURLConnection class will return an error under the same conditions.

But applications using more low-level functions, C or C++ socket functions, or external libraries such as libcurl may need to watch to ensure that their SSL is being validated. Figure 9-8 shows what happens with validation. Without validation, no dialog would be displayed and the data would be transmitted to an insecure host.

PayPal’s mobile application doing what it’s supposed to do when the connection can’t be trusted.

Figure 9-8. PayPal’s mobile application doing what it’s supposed to do when the connection can’t be trusted.

The SSLTheft Payload

Developers can write applications to specifically disable SSL validation in order to work with websites having self-signed certificates. Unfortunately, this also undermines the entire integrity of SSL validation, as an attacker can also use the same code to infect applications. The following two methods can be added to any NSURLConnection delegate class to disable all SSL validation for the connections that notify that class.

- (void) connection:(NSURLConnection ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required