ssl pinning in Swift AlamoFire

Question

Im a newb here but I have an app that is subject to MITM attacks.

After I bit of research it sounds like I need to do SSL Pining, i.e keep a copy of my servers public key/certificate so the can determine if the response came from it.

I have no idea how to do this, I am using AlamoFire in Swift to handle the networking.

Answer 1

Alamofire 5.0 is now released. And ssl pinnig is changed. Look at the below code snipped.

let configuration = URLSessionConfiguration.default
        configuration.timeoutIntervalForRequest = timeoutIntervalForRequest
        let trustManager = ServerTrustManager(evaluators: [
                     "prod.ehliyetcepte.com": PublicKeysTrustEvaluator(),
                     "dev.ehliyetcepte.com": DisabledEvaluator()])


        self.session = Session(startRequestsImmediately: true,
                               configuration: configuration,
                               delegate: self,
                               serverTrustManager: trustManager)

Answer 2

Alamofire now implemented the certificate pinning. The documentation you need is in the Readme.md

https://github.com/Alamofire/Alamofire

See their example implementation:

let serverTrustPolicies: [String: ServerTrustPolicy] = [
    "test.example.com": .PinCertificates(
        certificates: ServerTrustPolicy.certificatesInBundle(),
        validateCertificateChain: true,
        validateHost: true
    ),
    "insecure.expired-apis.com": .DisableEvaluation
]

let manager = Manager(
    serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies)
)

Answer 3

As indicated here : https://github.com/Alamofire/Alamofire/issues/366

It is certainly something that the community is looking to support, but there's not a solid time frame around it yet. I'd say for the time being, you'll want to continue with AFNetworking, and keep a close eye on the Alamofire project for new features coming in.