TrustKit: Effortless SSL Pinning for iOS and OS X

Earlier this week, Angela Chow (from the Yahoo security team), Eric Castro and Alban Diquet spoke at the Black Hat US conference in a session titled “TrustKit: Code Injection on iOS 8 for the Greater Good” (slide deck is available here).

We presented TrustKit, a new open-source library that makes it very easy to deploy SSL pinning in iOS or OS X Apps. The approach we used to solve SSL pinning is novel in several ways, as it is based on techniques such as function hooking and code injection, which are generally used for reverse-engineering and customizing Apps on a jailbroken device.

The result is what we like to call “Drag & Drop” SSL pinning: TrusKit can be deployed in any App in minutes, without having to modify the App’s source code.

Additionally, to ensure TrustKit would work in real-world Apps with millions of users and strict requirements in terms of performance, battery life and overall usability, we collaborated with the Yahoo mobile and security teams. They helped us design a library that would solve the challenges most companies are facing with SSL pinning, such as detecting how many users are seeing unexpected certificate chains in the wild, or ensuring that 100% of the App’s connections are protected.

TrustKit is already live on the App Store in some of the Yahoo Apps, and we open-sourced the project on GitHub at the end of our presentation. Have a look and let us know what you think! The more developers use it, the better it will get.

Alban Diquet - 08 Aug 2015 at 12:02