SSL Pinning

SSL Pinning, also known as Certificate Pinning, is a security technique implemented to ensure that an application establishes secure connections only with previously authorized servers. This verification is performed during the SSL/TLS handshake, validating the digital certificate or, in the case of iOS, the public key associated with the certificate presented by the server.

SSL pinning acts as an additional validation mechanism, ensuring that only the legitimate certificate or its previously configured public key is accepted, regardless of the operating system's trust settings. By doing so, the technique prevents attempts to intercept, capture, or modify requests exchanged with the backend, significantly reducing the risk of Man-in-the Middle (MITM) attacks.

In the iOS environment, MAD uses Public Key Pinning, validating the hash of the certificate's public key (SPKI – Subject Public Key Info) presented by the server. During the connection establishment, the received public key is compared with the values previously configured in the application. The communication is considered valid only when it matches one of the configured pins.

For the mechanism to work correctly, it is necessary to previously identify all domains used by the application's APIs, list them and configure them explicitly in the pinning policy, ensuring that all sensitive communications are properly protected.

Public Key Pinning is the recommended and default method on iOS. In this model:

• The hash of the certificate's public key (SPKI) is pinned. • This approach allows certificate renewal without needing to update the application, as long as the same public/private key pair is retained.

For Public Key Pinning configuration:

<key>ssl-pinning</key>
<true.>
    <dict>
        <key>*.example.comr</key>
        <string>4d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM>
    </dict>
<key>ssl-pinning-fallback<key>
<true/>