i'm using HTTPS in my iPhone app to communicate with my own API.
I've noticed that when i try to do packet sniffing on an HTTPS it won't show any critical information. but when i tried Fiddler2 and installed a trusted certificate on my iPhone (which was issued by Fiddler2) I've been able to see all my HTTPS calls!!! which can cause a serious security problem.
I've tried this with other applications and some of them won't show even anything in Fiddler as if they were protecting themselves somehow!
how can i protect my application?
Thanks
--- Extra information to the selected solution ----
if you are using AFNetworking, starting from version 1.1 you can do the following to solve the issue:
add the following to your PROJECT-Prefix.pch
#define _AFNETWORKING_PIN_SSL_CERTIFICATES_ =1
make sure you have added the security framework then import it in the AFURLConnectionOperation.m file
#import <CommonCrypto/CommonDigest.h>
add this extra function to the file
-(NSString*) sha256:(NSString*)input
{
const char *cstr = [input cStringUsingEncoding:NSUTF8StringEncoding];
NSData *data = [NSData dataWithBytes:cstr length:input.length];
uint8_t digest[CC_SHA256_DIGEST_LENGTH];
CC_SHA256(data.bytes, data.length, digest);
NSMutableString* output = [NSMutableString stringWithCapacity:CC_SHA256_DIGEST_LENGTH * 2];
for(int i = 0; i < CC_SHA256_DIGEST_LENGTH; i++)
[output appendFormat:@"%02x", digest[i]];
return output;
}
replace this line
if ([[[self class] pinnedCertificates] containsObject:certificateData])
with this one
if ([[self sha256:[certificateData description]] isEqualToString:SSL_CERTIFICATE_SHA256])
make sure you've calculated the SHA256 of the server's certificate and define the value in your prefix file
#define SSL_CERTIFICATE_SHA256 @"<certificate SHA256 value>"
done!