Man in The Middle Attack and SSLPinning | Ethical Hacking | Charles | iOS | Swift

Man in The Middle Attack and SSLPinning | Ethical Hacking | Charles | iOS | Swift | Xcode

День тому

In this video, I’ve discussed about some of the good practices for enhancing the security of an iOS Application. I’ve demonstrated that how Charles can be used for intercepting the web service calls, how HTTPS prevents it. Further, how Man In The Middle Attack can be performed (using Proxy certificate) for bypassing HTTPS security. What is SSL Certificate, how does it work, asymmetric cryptography, why it should be pinned (SSL Pinning) with the app, Certificate Pinning and Public Key Pinning, in what scenario can SSL pinning fail and obfuscation.
Implementation of Certificate Pinning -
gist.github.com/pallavtrivedi...
Inspiration & implementation of Public Key Pinning -
/ ssl-pinning
Credits -
Hacking video (used in starting of the video) by Mikhail Nilov from Pexels
www.pexels.com/@mikhail-nilov...
Chapters 👇🏼
00:00 Start
00:09 Introduction
01:07 Intercepting web service calls made over HTTP
02:23 Configuring Charles
05:40 How HTTPS differs from HTTP
07:55 Asymmetric Cryptography
08:41 SSL Certificate and it’s working
11:19 Man In The Middle Attack (Concept)
12:20 Man In The Middle Attack (In Action)
15:43 SSL Pinning
22:24 Obfuscation

КОМЕНТАРІ: 110

@VirendraKumar-zf1yg 2 роки тому

1. Encrypt and decrypt , request and response using AES, 2. Proxy check 3. SSL pinning 4. Rooted Device check 5. Virtual device check ( if we have implemented pallycon don't neet to check ) These are security for iOS application security

@heshanlk17 2 роки тому

Haven't been able to find a better explanation in the whole internet! 👏

@ChandanKumar-dv4ky Рік тому

Excellent video. Thanks for making the concept clear in a very easy-to-understand way and also through a simple demo.

@vaishurao4814 2 роки тому

I'm preparing for my iOS interviews. This concept been asked couple of times. Thank you for sharing your knowledge !!!

@iCode_Happy_Coding 2 роки тому

Yes, this is one of the important interview questions, especially when interviewer wants to ask about the security aspects. Glad that you found the video useful🙂

@thepentesterguyofficial Місяць тому

I agree, some times we face issue to bypass by cause of different logic of how the code is written and what function to call. Also would like to thank you and appreciate you for such a simple walk through of the concept and issue.

@unwindarts3377 2 роки тому

Thank you so much for very clear explanation, the way you explain makes the hard topic which are difficult to understand look easy. Please keep sharing with us awesome videos.

@rushibhatt4262 2 роки тому

I love your videos..! They are always so detailed and they always focus on things that you simply cant find in normal iOS tutorials. Keep them coming..! 🎉🎉🙏🏻🙏🏻

@iCode_Happy_Coding 2 роки тому

Thanks Rushil 🙂

@GopalDevra Рік тому

Pallav, you are very good in Programming and clear about the concepts. Thanks for helping. 🙏🏻

@RohitPatil_Tech 10 місяців тому

Great video. Explained in a very clear way. Thanks Pallav!

@followerOfJesus723 Рік тому

Please continue to make informative videos like this. Videos that other people aren't making!

@GauravKumar-kb1id 2 роки тому

Thanks, you made it simple, I was trying to learn this concept from long back but due to complex explanations I was not able to grab it.👍

@iCode_Happy_Coding 2 роки тому

Glad that you found the video helpful 🙂

@followerOfJesus723 Рік тому

Thanks so much. This is the 3rd video that you made that I'm studying. Thanks!!!

@maryjudit6313 Рік тому

Clear explanation.. Keep doing more videos💫💥

@sagarkadam8036 Рік тому

Awesome Bro.. No one has ever explained http to SSL Pinning in such a way till date !!! Keep up the good job.. loads on Love for your video content.. :-) Any pointers or guideline usage for SwiftShield for obfuscation ? per you explanation we got the hang that the function names and variables are given random names so that no one can know what is being used for what.. having more complexity.

@himanshugarg3957 9 днів тому

This was really detailed and Helpful Video👍

@diegooruna1305 2 роки тому

I love these iOS security videos. Do more, please!

@iCode_Happy_Coding 2 роки тому

Sure Diego. I'll try to cover more topics on the same lines. 🙂

@amirmuhsin Рік тому

Perfect explanation, dude. Subscribed :D Thanks

@hotskyakash 2 роки тому

Wonderful 🥇 video for complex topic

@user-et4xr5nb3q 7 місяців тому

loved the explanation , good job

@MrRaveHaven Рік тому

Thanks for the explanation!!

@sajibghosh1918 8 місяців тому

Best iOS tutorial video ever seen! 🎉❤

@anandmishra3926 2 роки тому

Love this Video. Thank You.

@puneetpal1466 2 роки тому

Million thanks for such a hot topic with beautiful explanation ✌️✌️

@iCode_Happy_Coding 2 роки тому

Thanks Puneet 🙂

@vigneshshetty2169 2 роки тому

Thank you sir ur videos helping me a lot to grow my knowledge because I am a fresher so I am in a begging stage thanks again

@saurabhsierra9195 2 роки тому

Awesome and knowledge filled as always... Thank you. 💐

@iCode_Happy_Coding 2 роки тому

I’m glad that you liked the video. Thanks for your constant support 😊

@saurabhsierra9195 2 роки тому

@@iCode_Happy_Coding Most Welcome you and your team always...as good content today are less seen .

@MAHOSSAN1 Рік тому

Excellent tutorials . Good explanation

@MohiDP 2 роки тому

Your posts are always helpful!! Thanks for your efforts. I have a question, is it possible to extract entities like public key and the api keys from the ipa ?? If so, what are the ways to save them in the app safely?

@bamanstech3006 2 роки тому

Interesting , thank you for sharing.

@vaibhavabajpai9834 2 роки тому

Thank you so much for clearing my one doubt. Thanks a ton.

@iCode_Happy_Coding 2 роки тому

Glad that you found the video helpful 🙂

@shubhamojha4344 2 роки тому

Kya vaibhava ji bhot padhai kar rahe ho :D

@akshaykumar-qj2kx 2 роки тому

Thanks Pallav. You video is very informative

@iCode_Happy_Coding 2 роки тому

Thanks Akshay 🙂

@sainiketan47 2 роки тому

Good one 👍

@shubhamkshatriya2609 2 роки тому

Best explanation i have seen so far. Can you please also make video on how ofuscation is done??

@chandraindia1614 Рік тому

Thanks for sharing video. It is awesome. Could you pls explain certificate transparency and which technology to use to avoid security concerns. How bank apps are managing

@ferrerasalexander 6 місяців тому

Excelente Video

@pushpabisht4850 2 роки тому

Superb explanation 👍

@LifeTravelExplorer 2 роки тому

great explained.

@TheDreadeddevil Місяць тому

Great video💯

@jagdishshinde3102 2 роки тому

amazing explanation sir.. my question is after this handoff, what next ?? how to handle all the apis... suppose i need the PERSON data then what i need to do???

@AlgorithmDecoded 11 місяців тому

MaZA aa gya , dhaga khul gya MITM ka

@pawanmanjani1298 2 роки тому

Superb man Please keep posting

@iCode_Happy_Coding 2 роки тому

Thanks Pawan 🙂

@MithileshKumar-zm2jb 8 місяців тому

Very good explanation. We have one query. Please clear this. How we are sending a encrypted key to server after successful verification of server certificate with our bundle certificate?

@guidence9151 2 роки тому

i am waiting for this type of videos thank you

@iCode_Happy_Coding 2 роки тому

Thanks Swapnil 🙂

@polu9132 2 роки тому

Nice to see that you are covering the topics which are not covered by most of the tutors over the internet. Thank You Sir. Lots of love. 🙏

@iCode_Happy_Coding 2 роки тому

Thanks Polu 🙂

@rehanismail7082 2 роки тому

I like a lot your tutorial 👍.Perfect

@iCode_Happy_Coding 2 роки тому

Thanks Rehan 🙂

@Cdswjp 2 роки тому

I may be mistaken, but I believe your short clip that attempts to describe asymmetric encryption is actually defining end-to-end encryption, which does use asymmetric encryption…. Although asymmetric encryption refers to a private key & public “key pair” (which differs from symmetry encryption), there are multiple ways asymmetric encryption can be implemented (ie. Diffie-Hellman Key exchange). In your short video clip you conveyed that asymmetric encryption is E2EE, which is incorrect. E2EE is 1 great implementation of asymmetric encryption, but asymmetric encryption is not E2EE. Overall, thanks for your videos, honestly. You do a fine job.

@arturponomarenko6713 Рік тому

Thank you for the video! Am I the only one who heard the word "Jazz" when the speaker were saying "Charles" 😅

@Rahul-jf5kf Рік тому

please make video on PKCS12 for security. also make one overview video on what are the ways to implement various levels of security.

@manjeetchoudhary5860 2 місяці тому

You are great 😮😮

@farooqueazam8579 2 роки тому

Nice video thank you

@S3Kglitches 2 роки тому

Great!!!!

@asherazeem3282 2 роки тому

In case of ssl pinning hacked. We can also use Safety net implementation or Appattest service. Like, we use captcha in our web app. And we also can implement jail break for rooted device. Thing will be secure. After jail break implementation no one will be able to open app with rooted device.

@avinashvardhan6208 2 роки тому

Do we need to write the didReceiveChallenge method for every new or another web service call?

@UK-lp7no 2 роки тому

Great video dude, thanks a lot! How about the certificate we keep in our bundle, shall we store it in Keychain for safety? or just add it into our project? Because, attackers might do a reverse engineering and even get access to the certificate we are storing in bundle.

@iCode_Happy_Coding 2 роки тому

Definitely. We must put the certificate in Keychain. Thanks for highlighting this 🙂

@manojshivhare937 2 роки тому

thanks for sharing such informative video with us. may i know is there any paid tool which can intercept API despite having certificate pinning ??? please let me know if anything.

@anweshannu2518 2 роки тому

Thank you very much Sir. Could you please make Videos on what is DRM, fairplay and widevine etc

@iCode_Happy_Coding 2 роки тому

Thanks for the suggestion Anwesh. It's one of my favourite topics and will definitely look for covering it. 🙂

@rameshK-yx8nz 2 роки тому

Great video...Thanks for the information...may I please know how to achieve obfuscation?

@iCode_Happy_Coding 2 роки тому

Thank you Ramesh 🙂. Obfuscation takes a separate set of efforts, and expertise which I’m not aware of. But most of the companies take third party assistance for obfuscation. For example, Guard Square - it provides obfuscation services PS - not a paid promotion 😅

@swapnilmore3944 2 роки тому

Great tutorial..

@iCode_Happy_Coding 2 роки тому

Thank you! 🙂

@rogupta123 2 роки тому

What prevents the MITM downloading the same certificate as the real webserver. Would this bypass SSL pinning check?

@mepolob Рік тому

Hi iCode I have implemented SSL pinning through public key pinning in one of my app. But I'm getting different keys from the server while running the app in the device. Sometimes the public key from the server is matching and sometimes it's not. Can you please tell me what's going wrong here? Thanks in advance.

@GauravKumar-kb1id 10 місяців тому

I need to implement this for one of my projects, that project communicates to multiple domains, will it be possible to do pinning for various domains or can we do it for one and can trust communication for others? I would greatly appreciate how we can achieve this any idea or thought.

@thahiraf1317 2 роки тому

👍👍

@manjeetchoudhary5860 2 місяці тому

❤🎉🎉

@chsjsiwixhsiwidjjcksis5649 Рік тому

can we patch smali to bypass certificate pinning ?

@ankit_gupta_23_Sept Рік тому

How can we implement dynamic SSL pinning in swift?

@VirendraKumar-zf1yg 2 роки тому

We can add another layer also with SSL pinning , means we can check device is rooted or not if device is rooted we can terminate app.

@timelapse7454 2 роки тому

Hi, I am trying to implement, Root check/Jailbreak detection I our App, but not able to find any reliable method, can you please share any document or link if you have any. Thanks.

@codepro6249 2 роки тому

SecTrustGetCertificateAtIndex is deprecated in ios 15. any solution?..

@jsmnp07 2 роки тому

Why policy array not used?

@techsavvy5040 Рік тому

For Public Key pinning, as we are keeping Public Key hard coded in iOS code, that public key need to be same even after SSL certificate renewal. Is that my understanding correct?

@rajanmaheshwari Рік тому

Correct. When you renew your certificate, the public key remains the same. However, if you change the certificate, public key will also change. TrustKit allows you to keep two public keys so if one fails, it can fall back to the other.

@sureshdurishetti5835 11 місяців тому

What is the good practice to keep/have public hard coded pinning key in Xcode?

@vinaypiplani2373 2 роки тому

Hi Pallav, Hope you are doing well ! I would request you to please make a video in Hindi language also.

@iCode_Happy_Coding 2 роки тому

I try to use a language that is understandable by everyone. I’ll try to add subtitles in Hindi 🙂

@omkamath 11 місяців тому

Can this be done for third party APIs such as Google APIs?

@shikhabudhiraja7084 2 роки тому

What if man in middle have the public key of our server certificate? Since it wont chanve with tym, its more prone to issues like leaking of public keys...please clarify?

@rajanmaheshwari Рік тому

Public Key as the name suggests is public to all. You can extract the public key of any domain. The point is that if that man in the middle tries to intrude, the public key of that intruded host will change and will not match with the public key of your actual domain. The issue is not that the public key is exposed. It's already exposed. To hide the function where you are actually using that key, use obfuscation.

@iostutorial518 2 роки тому

App in the production if It’s possible to expire the certificate how we could to update it? We need to get the updated certificate through the api?

@chandraindia1614 Рік тому

No, you need to update the app with the new certificate and allow users to forcefully update the app. Thanks

@rajanmaheshwari Рік тому

You can build whatever logic you want. You can update the already saved certificate and download it from your custom-made API, save it in the document directory, overwrite the existing one, and then pass the DD path of your local certificate to match the host certificate. Doesn't necessarily always need to update the app. This type of logic only works when you keep your cer in DD path and not in the App bundle. For App bundle, you need to update the app.

@neerajverma9226 2 роки тому

But if we use DNS poisoning we can easily bypass SSL pining, isn't it?

@Shanmugarajeshwaran 2 роки тому

I Have followed step, which is given in the medium blog for public key pinning, not working for me. Always getting wrong hash, compared to hash generated from terminal

@iCode_Happy_Coding 2 роки тому

I’ll try to cover it in detail.

@Shanmugarajeshwaran 2 роки тому

@@iCode_Happy_Coding 😀👍

@variousd3507 2 роки тому

I guess that this method is not working on https protocols right?

@iCode_Happy_Coding 2 роки тому

It works for HTTPS as well (as I demonstrated in the video). It will not work if SSL pinning would have been done.

@AnuragKashyap17 2 роки тому

How to perform obfuscation ???

@AnuragKashyap17 2 роки тому

Great tutorial btw 💗

@iCode_Happy_Coding 2 роки тому

Glad that you liked the video. Generally it is done by using third parties like Guard Square. What they are doing internally is very detailed topic that even I'm not 100% aware of. I'll try to learn and cover it in one of my upcoming videos. Thanks for the suggestion 🙂

@AnuragKashyap17 2 роки тому

@@iCode_Happy_Coding Thank you for the reply. And it will be awesome if it is coming in future. And the videos are really of very high quality content. Keep up the good work.

@brooklyn7853 Рік тому

it doesnt make app secure it just hide app developer and backend problem. allow user to intercept traffic so they can see who is making network calls.