5

On my project, we are using a closed source framework (Backbase, if you wanna know). This is an hybrid application framework that offers many security options "out of the box". One of them is certificate pinning, and I am quite intrigued by its implementation.

We only have to set a property in a configuration file and that's it. Every request done through URLSession.shared is processed through the framework and the pinning is effective. However If I instantiate my own URLSession, then the pinning is not effective. But I can also make the pinning effective on a new URLSession by instantiating it with the framework's NSURLSessionConfiguration.

For those who only read code:

// Pinning effective
URLSession.shared.dataTask(with: request, completionHandler: completion)

// Pinning not effective
URLSession(configuration: .default).dataTask(with: request, completionHandler: completion)

// Pinning effective
URLSession(configuration: ShinnyFramework.getConfiguration()).dataTask(with: request, completionHandler: completion)

For me, URLSession.shared is immutable, so it was not possible to alter its working. And to implement pinning, the only way was to create a new URLSession with a custom URLSessionDelegate.

My question is : What did they do to get this behavior ? Method swizzling, Isa swizzling, something else ?

Edit: I am not looking for a detailed explanation about how to implement certificate pinning. What interests me more is how to edit a supposedly immutable static property and how to configure the behavior of an URLSession object without using a delegate.

hulius
  • 189
  • 1
  • 8
  • Hi Hulius, are you seeking an answer from Backbase? Or just wondering about the generic way to approach this in a non-backbase way? – Von Lion Oct 30 '17 at 08:59
  • 1
    Hey @VonLion ! I'm particularly curious about the generic ways to implement this kind of API – hulius Oct 30 '17 at 09:56
  • 1
    Hi @Hulius, if you are interested in just a "generic ways to implement this kind of API" you could ask about how to achieve SSL Pinning in iOS without adding Backbase into the equation. PD: I am the product owner of the Mobile SDK from Backbase. – Jbeerdev Nov 01 '17 at 08:29
  • Hi @Jbeerdev, I only spoke about Backbase to set the context of my question. My question is not really about "How to achieve SSL Pinning in iOS", which I know, but really about "How to do it this particular way", since I have never seen it implemented like that. – hulius Nov 01 '17 at 19:45
  • I don't know how they do it in Backbase but you could do this pretty easily by swizzling `URLSession.shared` to return a session with your own configuration. – dan Nov 22 '17 at 16:53
  • @dan if you could formulate that in an answer, I'd be happy to award you the bounty :-) But.. you only have 23 hours to do so, the expiration clock is ticking – Von Lion Nov 23 '17 at 08:50

0 Answers0