Certificate and public-key pinning reduces the risk of some types of man-in-the-middle (MITM) attacks.
In Web Public-Key Infrastructure (PKI), a TLS client trusts any server certificate issued by a trusted certificate authority (CA). There are many CAs (see Available trusted root certificates for Apple operating systems), and if the security of just one CA is compromised, then an attacker could forge server certificates for use in a man-in-the-middle (MITM) attack.
Certificate or public-key pinning describes a process by which TLS clients can reduce the risk of connecting to an imposter server by checking the server’s certificate chain for the presence of one or more expected ('pinned') certificates or public keys. This extra criterion reduces the number of CAs the client trusts as valid issuers of certificates for the server. For example, a bank that manages its own CA could implement certificate pinning to ensure that its StreamLink for iOS apps only trust server certificates that include the public key of the bank’s CA in their certificate chain.
For a detailed overview of certificate and public-key pinning, see Certificate and Public Key Pinning on the OWASP website.
Overriding TLS certificate validation in Apple iOS
To override certificate validation in StreamLink for iOS, pass an iOS
SecTrustRef trust object to the
For more information on the
SLStreamLink interface in StreamLink for iOS, see
For more information the
SecTrustRef trust object in iOS, see Overriding TLS chain validation correctly on the Apple Developer website.