I use HTTPS in my iPhone application to communicate with my own API.
I noticed that when I try to sniff packets on HTTPS, it will not show any important information. but when I tried Fiddler2 and installed a trusted certificate on my iPhone (which was released by Fiddler2), I was able to see all my HTTPS calls !!! which can cause a serious security problem.
I tried this with other applications, and some of them will not show anything in Fiddler, as if they are somehow protecting themselves!
How can I protect my application?
thanks
--- Additional information for the selected solution ----
if you have been using AFNetworking since version 1.1, you can do the following to solve the problem:
add the following to your PROJECT-Prefix.pch
#define _AFNETWORKING_PIN_SSL_CERTIFICATES_ =1
make sure you add the security structure and then import it into the AFURLConnectionOperation.m file.
#import <CommonCrypto/CommonDigest.h>
add this extra function to the file
-(NSString*) sha256:(NSString*)input { const char *cstr = [input cStringUsingEncoding:NSUTF8StringEncoding]; NSData *data = [NSData dataWithBytes:cstr length:input.length]; uint8_t digest[CC_SHA256_DIGEST_LENGTH]; CC_SHA256(data.bytes, data.length, digest); NSMutableString* output = [NSMutableString stringWithCapacity:CC_SHA256_DIGEST_LENGTH * 2]; for(int i = 0; i < CC_SHA256_DIGEST_LENGTH; i++) [output appendFormat:@"%02x", digest[i]]; return output; }
replace this line
if ([[[self class] pinnedCertificates] containsObject:certificateData])
with this
if ([[self sha256:[certificateData description]] isEqualToString:SSL_CERTIFICATE_SHA256])
make sure you calculate the SHA256 of the server certificate and define the value in your prefix file
#define SSL_CERTIFICATE_SHA256 @"<certificate SHA256 value>"
done!