Parse-SDK-iOS-OSX icon indicating copy to clipboard operation
Parse-SDK-iOS-OSX copied to clipboard

Published 20 hours ago verified publisher icon parse-community

Certificate Pinning

Open markuswinkler opened this issue 8 years ago • 6 comments

The SDKs should be compatible with pinned certificates for connecting to the Parse Servers, allowing for faster, safer deployment, particularly in small or internal deployments.

This issue has already been posted here but there has been no progress for over a year on this: https://github.com/ParsePlatform/Parse-SDK-iOS-OSX/issues/799 (thanks @kingmatusevich)

My daily security newsletter is full of apps that got hacked because of a man in the middle attack which could be easily prevented if the Parse SDK allowed for certificate pinning.

markuswinkler avatar Feb 07 '17 17:02 markuswinkler

+1 for this task. @markuswinkler What is the daily security newsletter that you are subscribing to? I would love to know. Also, is there any short-term solution beside using the built-in ACL/CLP?

QuynhNguyen avatar Feb 08 '17 05:02 QuynhNguyen

@QuynhNguyen I have different sources, hackernews (https://news.ycombinator.com) is pretty good, also heise.de (although german). Latest big reveal: https://medium.com/@chronic_9612/76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-2c9a2409dd1

One workaround (in theory) could be to implement a cloud code test function on the server that is called via the rest interface with e.g. Alamofire (where you can pin the certificate) at a given time interval plus every time the apps awakes from the background. The cloud function itself can be empty and just return success. In case you detect something suspicious you automatically log the user out and report it.

Disadvantages of this approach:

  • additional load on the application server
  • SDK request still vulnerable

Another workaround is to use the REST interface with Alamofire for all security sensitive calls but that could be prohibitively tedious depending on your architecture.

markuswinkler avatar Feb 08 '17 06:02 markuswinkler

Maybe someone from the community can implement it?

markuswinkler avatar Jul 14 '17 17:07 markuswinkler

This issue has been automatically marked as stale because it has not had recent activity. If you believe it should stay open, please let us know! As always, we encourage contributions, check out the Contributing Guide

stale[bot] avatar Sep 19 '18 09:09 stale[bot]

@stale It should be open (=

rostopira avatar Jun 19 '19 12:06 rostopira

#1598

gytiskv avatar Jan 25 '21 11:01 gytiskv