Flag insecure TrustKit certificate pinning settings

Docs > Plateforme de sécurité Datadog > Code Security > Static Code Analysis (SAST) > Règles SAST > Flag insecure TrustKit certificate pinning settings

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: swift-security/trustkit-pinning

Language: Unknown

Severity: Error

Category: Security

CWE: 295

Description

This rule detects improper or disabled certificate pinning when using TrustKit in iOS applications. Without strict pinning, attackers could intercept and manipulate network traffic through Man-in-the-Middle (MitM) attacks, compromising confidentiality and integrity of user data. To mitigate this, applications should enforce proper certificate pinning configurations in line with Apple guidelines.

Non-Compliant Code Examples

import Foundation
import TrustKit

// --- NON-COMPLIANT EXAMPLE 1: Pinning is not enforced ---

// ruleid: trustkit_pinning_enforce_disabled
let trustKitConfigEnforceDisabled: [String: Any] = [
    kTSKPinnedDomains: [
        "www.datatheorem.com": [
            kTSKEnforcePinning: false, // VULNERABILITY: Pinning is explicitly disabled.
            kTSKIncludeSubdomains: true,
            kTSKPublicKeyHashes: [
                "someHash1",
                "someHash2"
            ]
        ]
    ]
]

TrustKit.init(configuration: trustKitConfigEnforceDisabled)


// --- NON-COMPLIANT EXAMPLE 2: Subdomain pinning is disabled ---

// ruleid: trustkit_pinning_subdomain_disabled
let trustKitConfigSubdomainDisabled: [String: Any] = [
    kTSKPinnedDomains: [
        "example.com": [
            kTSKEnforcePinning: true,
            kTSKIncludeSubdomains: false, // VULNERABILITY: Subdomains are not pinned.
            kTSKPublicKeyHashes: [
                "anotherHash1",
                "anotherHash2"
            ]
        ]
    ]
]

TrustKit.init(configuration: trustKitConfigSubdomainDisabled)

Compliant Code Examples

import Foundation
import TrustKit

// This file demonstrates the SECURE and COMPLIANT way to configure TrustKit.

// Define the TrustKit configuration dictionary.
let trustKitConfig: [String: Any] = [
    kTSKPinnedDomains: [
        "www.datatheorem.com": [
            // COMPLIANT: Pinning is explicitly enforced. This is the most critical setting
            // to prevent MitM attacks.
            kTSKEnforcePinning: true,
            
            // COMPLIANT: Pinning is also enforced for all subdomains, ensuring
            // comprehensive security coverage for the entire domain.
            kTSKIncludeSubdomains: true,
            
            // Provide the valid Base64-encoded SHA-256 hashes of the public keys.
            kTSKPublicKeyHashes: [
                "khh4hgtv9b0z6yioj2l8f9d6h3j3b2b1j6g6f8d3d2c2b1a0", // Primary key
                "jhh5igtv9b0z6yioj2l8f9d6h3j3b2b1j6g6f8d3d2c2b1a1"  // Backup key
            ],
        ]
    ]
]

// Initialize TrustKit with the secure configuration.
// This should be done early in the app's lifecycle, e.g., in AppDelegate.
TrustKit.init(configuration: trustKitConfig)

print("TrustKit has been initialized with a SECURE pinning configuration.")