隐藏来自fiddler的iOS HTTPS调用 [英] hiding iOS HTTPS calls from fiddler

问题描述

我在我的iPhone应用程序中使用HTTPS与我自己的API进行通信。

i'm using HTTPS in my iPhone app to communicate with my own API.

我注意到当我尝试在HTTPS上进行数据包嗅探时不会显示任何重要信息。但当我尝试Fiddler2并在我的iPhone上安装了一个可靠的证书（由Fiddler2发布）时，我已经能够看到我所有的HTTPS通话！这可能会导致严重的安全问题。

I've noticed that when i try to do packet sniffing on an HTTPS it won't show any critical information. but when i tried Fiddler2 and installed a trusted certificate on my iPhone (which was issued by Fiddler2) I've been able to see all my HTTPS calls!!! which can cause a serious security problem.

我已经尝试过其他应用程序，其中一些甚至不会在Fiddler中显示任何内容，就像他们以某种方式保护自己一样！

I've tried this with other applications and some of them won't show even anything in Fiddler as if they were protecting themselves somehow!

我如何保护我的申请？

谢谢

---所选解决方案的额外信息----

如果您使用AFNetworking，从1.1版开始，您可以执行以下操作来解决问题：

if you are using AFNetworking, starting from version 1.1 you can do the following to solve the issue:

将以下内容添加到PROJECT-Prefix.pch

add the following to your PROJECT-Prefix.pch

#define _AFNETWORKING_PIN_SSL_CERTIFICATES_ =1

确保您已添加安全框架，然后将其导入 AFURLConnectionOperation.m 文件

make sure you have added the security framework then import it in the AFURLConnectionOperation.m file

#import <CommonCrypto/CommonDigest.h>

将此额外功能添加到文件中

add this extra function to the file

-(NSString*) sha256:(NSString*)input
{
    const char *cstr = [input cStringUsingEncoding:NSUTF8StringEncoding];
    NSData *data = [NSData dataWithBytes:cstr length:input.length];

    uint8_t digest[CC_SHA256_DIGEST_LENGTH];

    CC_SHA256(data.bytes, data.length, digest);

    NSMutableString* output = [NSMutableString stringWithCapacity:CC_SHA256_DIGEST_LENGTH * 2];

    for(int i = 0; i < CC_SHA256_DIGEST_LENGTH; i++)
        [output appendFormat:@"%02x", digest[i]];

    return output;
}

替换此行

if ([[[self class] pinnedCertificates] containsObject:certificateData])

这一个

if ([[self sha256:[certificateData description]] isEqualToString:SSL_CERTIFICATE_SHA256])

确保您已计算出服务器证书的SHA256并在前缀文件中定义值

make sure you've calculated the SHA256 of the server's certificate and define the value in your prefix file

#define SSL_CERTIFICATE_SHA256 @"<certificate SHA256 value>"

完成！

推荐答案

所以你使用Fiddler2作为iPhone的代理。然后所有请求都将通过提琴手。 Fiddler将表现得像是终点，并将返回您信任的证书。然后它将使用新请求将请求转发到实际URL。因此，它能够读取响应。然后它将返回原始请求中的数据。如果要在应用程序中阻止此操作，则必须添加自己的证书验证。您可以检查二进制级别的证书或解析证书并验证字段（如发行者）

So you are using Fiddler2 as a proxy for your iPhone. All requests will then pass through fiddler. Fiddler will act like it's the end point and will return the certificate that was trusted by you. Then it will forward the request to the actual url using a new request. Therefore it's able to read the response. Then it will return the data in the original request. If you want to prevent this in your app, then you have to add your own certificate validation. You could check the certificate on binary level or parse the certificate and validate the fields (like issuer)

我发现本教程包含有关测试证书的信息 http://www.inmite.eu/en/blog/20120314 -how-to-validate-ssl-certificates-iOS-client
也许这也有帮助： http://www.cocoanetics.com/2013/02/rfc-dtcertificateviewer/

I found this tutorial with information about testing certificates http://www.inmite.eu/en/blog/20120314-how-to-validate-ssl-certificates-iOS-client Maybe this could also help: http://www.cocoanetics.com/2013/02/rfc-dtcertificateviewer/

您还可以添加一个通过添加您自己的编码层来提高安全性。服务器需要使用入站数据进行响应，然后您将解密该响应。

You could also add an extra level of security by adding your own encription layer. The server needs to respond with encripted data and you will then decrypt that response.

这篇关于隐藏来自fiddler的iOS HTTPS调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！