Trust Evaluation in iOS devices

Apple’s Security Framework provides enough APIs to implement your own methods to secure the data your app manages. One important component of managing certificates is verifying if the certificate is valid or not. For verifying these certificates it provides an API called SecTrustEvaluate.

Now this function evaluates all the certificates in your chain of trust from the end SSL certificate to the root certificate. For each certificate, it evaluates whether it has been revoked or not. It chooses different methods for this, in an incremental approach. First it checks them in it’s cache, then in the set of certificates that the system has in the keychain and then it hits apple servers to verify them. Now, this is a network operation and remember that this operations is applied for all the certificates in your trust chain. It has a timeout of 7 seconds. The network operation uses something called the OCSP Protocol to evaluate the revocation status of each certificate. Unlike OSX, iOS does not have support to choose between CRL or OCSP. OCSP is enabled by default for iOS devices. In brief, the OSCP protocol is as follows. The device sends an HTTP request to a OSCP responder, like http://ocsp.apple.com and gets the response regarding the trustiness of the certificate. Since the request and response do not contain any sensitive information, HTTP can be used for these requests. These devices use a best effort level regarding the certificates. If they could not find any information regarding each of these certificates, then it considers it as trust worthy. These certificates are then added to its cache or the keychain.

When using this API, it should be noted that this can be a blocking request. So it is not a good idea to use this on the main thread. Or, you could use SecTrustEvaluateAsync for this job.

Share Comments

Mortal and Immortal Symbols in Ruby

Symbols are one of the most powerful datatypes that Ruby has to offer. Compare
and lookup operations are faster when symbols are used rather than strings. You
can check this post here know more about symbols and their performance when compared to strings.

One disadvantage of using symbols is that, they live in the program’s memory
for the entire life cycle of it’s execution. This is one of the reasons for faster symbol lookups. This also was the reason for many denial of service vulnerabilites in Ruby, for example this one.

From Ruby 2.2, there is a new concept of Mortal and Immortal Symbols. Internally
ruby has three types of symbols. Mortal dynamic symbols, which are symbols
created dynamically by user, Immortal dynamic symbols are the mortal dynamic symbols
that have been promoted to immortal dynamic symbols and then there are immortal
static symbols, which are function names, class names etc. The GC only collects the
Mortal dynamic symbols. An example of such symbols are symbols created by to_sym method.

Share Comments

Hello World

Hi there! I just setup this webpage. As of now, I haven’t started writing any blogs yet, but the idea is to start soon. Most of them will be about stuff related to Programming or Math.

So, until then stay awesome and thank you.

Share Comments