I ran into a security issue for my iOS app. I use HTTPS for all my network calls, and the public certificate is used from the Trusted Authority, which is included in the application to prevent Main in the Middle Attack (ref: Man in the middle attack - Wiki ). I am doing an SSL screenshot (checking the certificate from the server in / before each network call), in Android it works fine, in iOS, however there is a TLS session cache that caches the certificate validity after the first network call.
For the first network call, the certificate verification part works fine, for the second call, the cache is used by the OS, and I can not verify the certificate. My QA team can easily attack and receive all the data from a network call for 2nd and consecutive network calls. Here is a link to the TSI documentation of a TLS session . There seems to be no way to clear the cache programmatically ref: AdvancedURLConnections .
Changing the request parameter does not help, I have already tried this. Please provide a specific iOS solution. I cannot encrypt my data for business reasons.
EDIT: I use the method below to verify my certificate. For the first network call, this method is called by the OS; for subsequent calls, this method is not called.
willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
My QA team simply attacks MiTM for each network call, they try to use their certificate, and if for any network call I do not verify the certificate, then they can read the data easily. Due to the cache, I cannot verify my certificate.
Husyn source share