I've never had success with local CAs and self-signed certs on iPhone, despite going through the whole rigamarole of creating and installing an MDM profile with the trust root. Even after doing that, apps and Safari behave as if the certificate was untrusted. Is there some documentation you've successfully used and wouldn't mind pointing to?
If you create a custom SSL CA, you can add that CA to your ios devices and simulators, and they will trust your backend served with an SSL certificate issued by your custom CA, no app modifications needed. (On modern Android, this does not work out of the box - it requires the custom SSL CA fingerprints to be added to a network configuration file embedded in the app - but you could always use gradle flavors and only add it to your debug/development builds)
Hey there, author here! This took a little research: most of the instructions on the internet are for network admins adding local CAs to browsers rather than for users to control who they trust.
We ended up with instructions for configuring the major root stores: OS X, Windows, Firefox and Android. We weren't able to identify a way to choose which iOS 9 inbuilt certificates you trust - Apple Configurator 2 only allows you to add certs.
If HN knows knows how to do this on iOS, let us know!
HTTPS is sufficient against MITM, until someone disables all verification to use their self-signed cert, or adds their poorly-secured "CA" cert to the allowed CA's for the download, or adds a weak cipher to the list. Do you trust every app developer to do those right (if they even use HTTPS!)[0], or would you rather trust Apple to get it right in the centralized system they designed for app updates for all apps?
I'm not even fond of Apple, but I'd rather trust them, and I'm glad they're protecting their users.
[0] Caveat: I don't know how likely/possible these are to occur on iOS. I assume a sufficiently motivated & misguided developer could do them within their own app's context.
You can relatively easily MITM most applications by uploading a custom root certificate to your phone, and doing SSL termination + re-establishment on a router your phone is using.
Yes. Just email the self-signed certificate to yourself, then open it up on the iOS device. You can also create a personal CA and install it the same way, if you plan on connecting to more than one host.
With apps there’s two levels of validation that you can do, and only one is done by the OS.
The most common, and automatic, is the verification of the chain of trust. On iOS this happens automatically if you use the standard network APIs against an HTTPS URL.
You can take it a step further and avoid MITM attacks where the middle party is able to mint trusted certs by doing something called certificate pinning. This is a manual verification that the certificate used by the server you’re connecting to has certain properties that you know match your API server’s.
I think the underlying problem is that the apps stop talking because the certificate validity check fails when traffic is proxied through your MITM. No MITM proxy can make that succeed, but if you can control the CA store that apps read, then you can create a certificate, add it to the trusted roots, use that cert to sign a certificate for someone else's website, and then when the app uses the system library to verify the validity of the certificate, it will appear valid, even though it's not. Without being able to hack the certificate verification, you can't MITM traffic between two devices you own. I think that's the complaint the grandparent has.
Apps can still pin certificates, of course. At that point, you have to exploit the app's other faulty assumptions like "I'm running the same code that the compiler produced" or "writing 0 to memory address 0x12344321 and then reading memory address 0x12344321 will result in reading 0", which are straightforward to make false. Though probably not on a stock iPhone.
I understand the need for installing a certificate to capture SSL, but it would be nice if you could just roll your own root CA cert. The documentation is not clear wether this is possible...
Does this work with apps that do their own TLS using their own pinned certs? I don't see how it could. Surely that's a lot of high profile apps these days.
If this app works without root, it must be possible to apps on iPhone to add their own certificates to the system, which are then trusted by other applications - that would already be pretty alarming. I think Android still requires certificates to be manually imported by the user. Maybe this app points you to instructions on how to do this, but the description makes it sound very automatic.
If you are having your SSL connection to Apple MITMed, then you have much bigger problems. Ones like "why do you have a malicious root cert in your keychain?!"
reply