No SSL Pinning for UIWebView

[jaxley]

Seems to be a common omission in certificate pinning examples and implementations that they do not ensure comprehensive coverage for all HTTPS connections on mobile applications. UIWebView requires implementing a custom NSURLProtocol to gain the proper control over how the UIWebView URL requests are invoked in order to ensure those are also pinned. Are you planning on adding code for that?

[nabla-c0d3]

When I initially looked at this and Apple's documentation, I couldn't find a way/API/method to do cert pinning in a UIWebView. I'll have a look at NSURLProtocol; if this class exposes the right methods for handling authentication challenges I'll definitely add cert pinning code for this.
Thanks!

[devgeeks]

👍

[nabla-c0d3]

Not sure when I'll have time to work on this but Apple has released sample code to do exactly that:
https://developer.apple.com/library/ios/samplecode/CustomHTTPProtocol/Introduction/Intro.html
The code is a bit complicated so I would still want to integrate this in the SSL conservatory and expose a simpler/nicer API.

[nabla-c0d3]

It has been a while but I solved this problem (and many other) in a new SSL pinning library: https://github.com/datatheorem/TrustKit

I was also told that NSURLProtocol is extremely slow.