TrustKit 1.2.0 for iOS 9 Released
I just released TrustKit 1.2.0, which adds support for iOS 9. As explained in a previous blog post, Apple implemented a behind-the-scene change in iOS 9 that broke TrustKit (and other tools).
- Complete re-write of the hooking strategy to automatically add SSL pinning to the App’s connections. TrustKit now swizzles
NSURLConnectiondelegates to add pinning validation to the delegate’s authentication handler methods; for developers who want to call into TrustKit manually, this behavior can be disabled using the
TSKSwizzleNetworkDelegatessetting. This change was made due to the previous hooking strategy (targeting SecureTransport) not working on iOS 9.
- The pinning policy format has slightly changed, in order to add new global settings:
TSKPinnedDomains. If you have an existing pinning policy for TrustKit 1.1.3, all you need to do is put it under the
- Greatly simplified the
TSKPinningValidatorAPI to make it easy to write authentication handlers that enforce the App’s SSL pinning policy. Sample code describing how to do it is available in the documentation.
- Updated Xcode project settings: stricter warnings, enabled bitcode, separate iOS and OS X build schemes.
- Pinning failure reports now also send the IDFV in order to simplify the troubleshooting of errors, by being able to detect a single, malfunctioning device.
More information is available on the project’s github page.
Migrating from a previous version
If you were already using TrustKit in your App, here are a few things to take into account when updating to 1.2.0:
- The new hooking technique based on swizzling
NSURLConnectiondelegates will only protect connections initiated via these APIs, while the previous implementation would also work on other APIs such as
NSStream. The updated Getting Started guide has guidelines on how to leverage TrustKit for these network APIs.
- As explained in the changelog, the policy format has slightly changed. For your existing policy to work on 1.2.0, you just need to put it under the
- If you don’t want TrustKit to auto-magically try to enforce SSL pinning on your App’s connections, you can now disable this behavior by setting the
NO, and instead call into TrustKit manually within your App’s authentication handlers, using the
TrustKit and PayPal
Unrelated to the 1.2.0 release but of particular interest is the fact that TrustKit was featured in a post about “Key Pinning in Mobile Applications” on PayPal’s engineering blog!