Data Theorem and Yahoo To Demo Open Source Mobile App Security Tool
Data Theorem Inc. and Yahoo will demo and then open source a new tool designed to simplify SSL security on iOS mobile apps.
The TrustKit toolkit provides a drag-and-drop interface to help iOS app developers increase their encryption security by taking the extra step of "SSL pinning."
SSL pinning adds a step to the back-and-forth process between a server and a client that's requesting an SSL certificate. As PossibleMobile.com explains:
The default way iOS SSL connections work is as follows. The client makes a connection to the server and the server responds with its SSL certificate. If that certificate was issued by a Certificate Authority that is trusted by the OS, then the connection is allowed. All data sent through this connection is then encrypted with the server's public key. The part that is of interest to us is 'trust.' For an attacker to perform a 'man in the middle' attack, the mobile device would have to trust the attacker's certificate. It is very unlikely that the attacker possesses a trusted certificate and therefore this is normally not an issue. However SSL weaknesses have happened before and using SSL Pinning can mitigate this possibility.
Data Theorem, a mobile app security firm, said that while the concept is well known to developers, it has been problematic to implement, so it's simplifying the process.
"SSL pinning often goes overlooked when developers are designing mobile apps for scale, but it is crucially important to the security and privacy of communications on billions of mobile devices," said company CEO Himanshu Dwivedi in a statement today. "With this new, open source toolkit, we are making it simple to significantly upgrade the security and privacy of every mobile app, and all of its communications."
The toolkit will be available for download on GitHub immediately after the project is demonstrated by Data Theorem and Yahoo in a presentation Thursday at the Black Hat USA 2015 security conference in Las Vegas.
Data Theorem explained that the toolkit was made possible after Apple relaxed its code packaging rules with the release of iOS 8, allowing the dynamic loading of third-party code from within apps, whereas before, such code had to be statically linked to a project's binary.
"This provides new opportunities to mobile and security engineers to improve the security of apps during development," Data Theorem said. "Developers can now take advantage of this functionality, and utilize a new open source library that leverages these mechanisms."
That open source library was developed in conjunction with Yahoo, which provided resources to the project such as research time from its "Yahoo Paranoids" security team. With this insider participation, Yahoo is one of the early adopters of the technology, a project spokesman told ADTmag.
Data Theorem said the toolkit provides the following features:
- Easy to use SSL pinning: TrustKit can be deployed in minutes in any iOS or OS X app, without modifying the app's source code.
- API-independent pinning by directly hooking into Apple's SecureTransport. TrustKit works on NSURLSession, UIWebView, NSStream, AFNetworking and more, all the way down to BSD sockets. All app connections are protected.
- Mechanism to report pinning failures, which allows apps to send reports when an unexpected certificate chain is detected, similarly to the report-uri directive described in the HTTP Public Key Pinning specification.
David Ramel is the editor of Visual Studio Magazine.