Twitter
« XSS in Microsoft ReportViewer | Main | OWASP NYC Slides Posted »
Sunday
Aug072011

Accepting Un-Trusted Certificates using the iOS Simulator

There are scenarios where an iOS developer might want to accept an un-trusted SSL certificate, such as when they are testing their application using the iOS simulator. By default applications using the NSUrlConnection API for performing remote connections contains built-in certificate validation. Therefore, developers or testers may encounter issues when testing HTTPS traffic using the iOS simulator. Some example scenarios may include applications communicating with remote services hosted on a non-production environment using self-signed certificates or the testers who need to debug SSL communication between the application and service using a local proxy tool, such as Burp Proxy or Fiddler. From a developer’s perspective, what is the best way to accept SSL certificates? While performing a Google search, I encountered the following thread on Stack Overflow discussing ways to accept self-signed certificates when using NSUrlConnection to connect to a website. In general, the responses all recommended performing code level changes in order to disable the built in certificate validation performed by iOS. Although, some answers recommend disabling certificate validation against certain hosts, there are also recommendations for disabling validation against all hosts. Given the temptation to copy and paste, this guidance is likely to result in insecure iOS application releases to the Apple App Store as the applications will be susceptible to man in the middle attacks.

Is there a better way to temporarily trust un-trusted certificates within the Simulator? In my opinion, the more secure way is to add the Certificate Authority(CA) certificate which signed the website’s certificate as a Trusted CA on the simulator. On an iOS device, this can be performed easily by opening the CA certificate on the device by emailing the certificate; however this is not possible with the simulator. Behind the scenes, when a CA certificate is added as a Trusted CA on the device, the certificate is inserted into the tsettings table of the TrustStore.sqlite3 database. This database is also used by the Simulator and can be found in the ~/Library/Application Support/iPhone Simulator/<SDK version>/Library/Keychains/ directory on your Mac workstation.

The tsettings table stores the contents of the CA certificate (Fingerprint, Subject, etc) but the only field needed by iOS during validation is the sha1 column which refers to the certificate’s SHA1 fingerprint. The table can be manually modified by using one of the many available SQLite clients. In order to simplify this process, I wrote a simple python script which can be used to import CA certificates into each TrustStore database  used by the Simulator. The following example will walkthrough the steps for importing the Portswigger CA certificate. Importing this certificate will provide testers with the ability to intercept application HTTPS traffic using Burp Proxy. Although we can view and intercept SSL HTTP traffic while testing applications, the insecurity of accepting un-trusted certificates is no longer built into the application logic

Step 1: Modify the System Preferences/Network Proxy settings on your Mac in order to have all HTTP/HTTPS traffic be sent to your Burp Proxy.

Step 2: Visit an HTTPS website using Firefox. You will be shown a “This Connection is Untrusted” error page. Choose the Add Exception option and then click the View button. Enter the Details tab and you will be shown information about the certificate chain. Select the PortSwigger CA within the “Certificate Hierarchy” listing. Export the Certificate to the directory of your choice.

Step 3: Run the add_ca_to_iossim script and pass in the exported certificate as an argument. 

Sample Usage: 

python add_ca_to_iossim.py PortSwiggerCA.cer

Successfully added CA to /User/GDS/Library/Application Support/iPhone Simulator/4.3/Library/Keychains/TrustStore.sqlite3

Successfully added CA to /User/GDS/Library/Application Support/iPhone Simulator/4.3.2/Library/Keychains/TrustStore.sqlite3

Run the simulator while proxying through Burp Proxy and you should be able to intercept HTTPS application sent by your application.

The add_ca_to_iossim python script can be download within the GDS Github page.

Reader Comments (8)

I have an app where I am loading a UIWebView with an https://sometestserver:81/someurl I get error that I have an untrusted connection. I followed your instructions to get the certificate and used your script to add it to my simulator keychains and I am still unable to load the url - I did validate that the script worked and added the entry into the simulator sqlite database -- I am using the latest ios 5 beta as well. It seems to work just fine in safari but not in my UIWebView. Any ideas for what might be going wrong?
August 15, 2011 | Unregistered CommenterHiedi
I hit the same problem.
The script add_ca_to_iossim works fine with iOS 4.3 simulator. But it doesn't work for iOS 5.0 simulator.
October 30, 2011 | Unregistered CommenterCharles
Charles,

I know its little late in the game, but you might have to modify the python script to insert this certificate on your iPhone Simulator for directory 5.0 than 4.3.

Hope this helps.
February 2, 2012 | Unregistered CommenterKarim Abdul
Hmm...my CA works great from a device - it does not work at all from the iPhone Simulator 5.1. I am getting Error: [('SSL routines', 'SSL23_READ', 'ssl handshake failure')] on the server side.
June 6, 2012 | Unregistered CommenterMarcin Czenko
I found workaround for the problem with iPhone Simulator version 5. The script is doing great job, but it seems that not only the sha1 column but also other columns matter and it is not enough to fill then in with random blob of fixed length. I wrote a post on my blog describing the whole process: http://redgreenrefactor.eu/blog/testing-https-on-iphone-simulator/
June 7, 2012 | Unregistered CommenterMarcin Czenko
Starting from v5.0, all columns in TrustStore.sqlite3 must have valid data. There is now a script that directly import and manage CA certificate in simulator v5.0 and above (at least up to 6.1) together with a description of the TrustStore.sqlite3 structure. Check https://github.com/ADVTOOLS/ADVTrustStore
March 8, 2013 | Unregistered CommenterDaniel C
The iPhone simulator version 5 and above require that all fields have valid date. I have written a script that works for iOS 5.0 and above (verified with 6.1), allowing to directly import (and manage) CA certificate in the simulator. I have documented my finding on the content of the fields in TrustStore.sqlite3. This is available in github at https://github.com/ADVTOOLS/ADVTrustStore
March 13, 2013 | Unregistered CommenterDaniel Cerutti
An update for people looking for a solution for v6.0 of the simulator: Don't use the add_ca_to_iossim.py script, the data it inserts into the database isn't valid for newer versions of the simulator. Instead use ADVTrustStore, it supports v5.0 to v6.1 and can also list and delete previously inserted certificates:
https://github.com/ADVTOOLS/ADVTrustStore
April 24, 2013 | Unregistered CommenterKenni

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.