iOS App Security - Anti Network Sniffing

I recently implemented SSL pinning in my app to help protect against sniffing out API calls and found something interesting.

If you iOS project settings are set to 'HttpClient Implementation: Managed(default)' then you cant sniff the traffic whether it be HTTP or HTTPS using Charles, Burp or other common sniffers on a device or simulator.

Change the above setting to 'NSUrlSession' and then all of a sudden the traffic appears in the sniffers. I also noticed this same behavior on app store versions using these settings.

Useful for security purposes but took a while to figure out for debugging.
Food for thought.

Posts

  • RaghavVRaghavV USMember ✭✭

    I have managed httpclient. But what about TLS 1.2 ? Also managed is not the default anymore while creating a new project.

Sign In or Register to comment.