How to implement SSL Pinning on SFSafariViewController?

Question

In my app, I've set up SSL Pinning on all my REST requests with the help of AFNetworking. This helps prevent MITM attacks. When I test my app using Charles proxy as the "man in the middle", the requests fail as expected. However, this is not the case for my login flow (Oauth 2.0) via SFSafariViewController. That is because ... this process of logging in is unrelated to AFNetworking.

I believe the problem could be solved if there was a way to achieve SSL Pinning on SFSafariViewController.

1) Is there a way to do this? I could not find anything online about this. 2) What are some ways people go about solving this problem? It seems like it is a security issue.

Answer 1

You could use WKWebView (WebKit) and create your own version of SFSafariViewController that has your pinning for where you use SFSafariViewController, but you can not certificate pin in SFSafariViewController. If you are using SFSafariViewController for downloading configuration profiles, then you are stuck, no cert pinning allowed and WKWebView will not "store" configuration profiles for installation, only Safari.app and SFSafariViewController can do that, to my knowledge.

Answer 2

To me the following comment makes sense. there is no way to do any SSL pinning in SFSafariViewController, for two reasons:

1. The SFSafariViewController class does not provide any API for customizing SSL validation and handling authentication challenges.
2. When used, the SFSafariViewController is actually run in a separate process and the app's code has no access to it at all. Hence swizzling does not affect the SFSafariViewController as it only happens in the app's process.

Reference:- https://github.com/datatheorem/TrustKit/issues/163