-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug][iOS] Not working with expo-dev-client in debug build #223
Comments
Hello @quaos , I am reviewing this library to implement it within my project and I am having the same problem on iOS. But in this case, after some testing with the project inside the library, I found the following: Test 1 a. Initialization === TrustKit: Loaded 6 SPKI cache entries from the filesystem === TrustKit: Successfully initialized with configuration { b. Validation === TrustKit: Checking includeSubdomains configuration for google.com Test 2 But now the problem arises when I initialize the trukit with valid keys, the initialization is done correctly and the first validation is done correctly. as can be seen in the following images and traces: Initialization === TrustKit: Successfully initialized with configuration { Validation === TrustKit: Checking includeSubdomains configuration for google.com but now if I initialize the trukit again with invalid keys and make a new request, the validation of the keys is not done and the request comes out as successful. initialization invalid keys === TrustKit: Successfully initialized with configuration { validation with invalid keys |
After performing several tests and researching various forums, I found the following: When the request is made to any domain even without initializing trustkit, it seems that NSURLSession maintains its own TLS session cache. This means that if I initialize trustkit again, this configuration will not be taken and the new validation will not be done with my new keys. The test done to determine this was:
Note: I updated this post because by testing the instructions given by this blog https://developer.apple.com/library/archive/qa/qa1727/_index.html, I found that indeed when waiting for 10 minutes and performing a new request, validation was carried out again with the trustkiy pins |
Thanks for the investigation into the issue. Indeed, iOS maintains a session cache, which re-uses connections if they've been made successfully before. This is detailed in the Known Issues section in the README:
The main workaround would be to ensure you initialize the pinning before any network requests are made. @quaos are you still facing an issue with the pinning, taking this into consideration? |
Hello @frw , thank you very much for your prompt response, what a shame I didn't see the known issues section. In my case I am reviewing the issue of updating keys since I was trying to implement a request at the beginning that would bring me the new keys but with this issue that is presented in iOS I think it is going to be an inconvenience, I am going to review the updates via OTA Let's see if I can find something on that side. Thank you very much again for your response. |
@cristian1206 |
@cristian1206 @frw Thanks! I'd try applying the pins at the first entrypoint of application and see if that works. (I'm also suspecting some 3rd party SDKs that 'd get initialized in |
@quaos For further debugging, you can also check this thread for breakpoints you can use to see if the library is functioning properly: #220 (comment) |
UPDATEHere is my latest attempt to fix this:
Still the requests to pinned domains do not get blocked. Here are the related event logs: JS Console logsBEFORE TrustKit init
TrustKit init
AFTER TrustKit init
iOS Simulator -> MacOS Console logsBEFORE TrustKit init
TrustKit init
AFTER TrustKit init NOTE: The log lines streamed to MacOS console keep streaming even after I pressed Pause button, and the logs from a few minutes ago was lost |
Hello @quaos . I have the following questions:
|
Yes. It can make requests to the domain and get responses.
I also added pins for
Currently when I open
I get the project to run using |
UPDATEI've created a test repo in attempt to reproduce the issue, but still can't: However, I could successfully run the original project with debugging in XCode (it stops at breakpoints as expected), and this is my latest findings:
|
UPDATEHere are the latest log and stacktraces, showing that in the original repo the app execution does not enter TrustKit validator methods at all: Test Repo (entering TrustKit methods ✅)JS log
XCode Debug stack trace
iOS -> MacOS console log (hard to capture, it flows non-stop and won't pause)
Original Repo (not entering TrustKit methods ❌)JS log
XCode Debug stack trace
iOS -> MacOS console log (hard to capture, it flows non-stop and won't pause)
|
UPDATEUpon deeper investigation, I found that NONE of these network delegate methods existing in the original repo is getting called:
|
NotesMight be related to: expo/expo#24096 Will try to reproduce by adding |
Seems like it is caused by Let me see what options are available to hook into Expo's Otherwise, it seems like |
Thanks! I've built the original app for iOS simulator using EAS, and when running the build on simulator, SSL pinning is enforced as designed. So this should work correctly on production. |
do you working to fix this ? @frw |
@oottoohh Yes I will try to fix this issue, though I will need to do a little bit of digging around to see how I can make it work nicely with expo-dev-client. |
I've taken a look around and I think the easiest solution is to disable the Let me know if you come across any issues with it! |
thankyou for quick response @frw, when i try it still not working with my own project, i already try set false for expo-dev-client. btw im using this for my template project https://github.com/infinitered/ignite |
@oottoohh The instructions only apply for the Expo managed workflow. Looking at the template, it seems like it's a regular React Native library that uses some Expo modules. In this case, could you try adding
to the top of your Podfile and then rerunning |
@frw yeah its already there in my podfile. but let me try again after looking your example maybe i need change the way of my implement. |
@oottoohh Could you post your It seems like the boilerplate you're using does use the Expo managed workflow, and already has |
App.json : { podfile : require 'json' ENV['RCT_NEW_ARCH_ENABLED'] = podfile_properties['newArchEnabled'] == 'true' ? '1' : '0' platform :ios, podfile_properties['ios.deploymentTarget'] || '13.0' prepare_react_native_project! flipper_config = FlipperConfiguration.disabled flipper_config = FlipperConfiguration.disabled if podfile_properties['ios.flipper'] == 'true' then abstract_target 'common' do use_expo_modules! use_frameworks! :linkage => podfile_properties['ios.useFrameworks'].to_sym if podfile_properties['ios.useFrameworks'] use_react_native!( post_install do |installer|
end post_integrate do |installer| i just using iOS, so maybe you dont need checking for android, then implement ssl pinning using trustkit with native code before so thats why i define trustkit 2.0.1, is it problem ? |
That's great to hear that your setup works properly now! Depending on TrustKit 2.0.1 shouldn't be a problem, but I would advise you to update to the latest version by removing |
Hi,
About 1-2 months ago, I had used this library to enforce SSL pinning in my company's app on a PoC branch, which worked as expected.
And just today, I tried to install and apply the library again in a new branch, but now it does not block any request to pinned domain when using invalid keys.
Already run
cd ios && pod install
thenexpo run:ios
UPDATE (2024-01-24):
test-expo-ssl-pinning-1
Certificate pinning failure!
error message as expected.Configuration
(Testing invalid keys case)
Logs
(iOS to MacOS Console log)
Versions
Thanks!
The text was updated successfully, but these errors were encountered: