Skip to content

Port MASTG-TEST-0068 (iOS Certificate Pinning) to v2#3732

Draft
Copilot wants to merge 3 commits intomasterfrom
copilot/add-custom-certificate-testing
Draft

Port MASTG-TEST-0068 (iOS Certificate Pinning) to v2#3732
Copilot wants to merge 3 commits intomasterfrom
copilot/add-custom-certificate-testing

Conversation

Copy link
Contributor

Copilot AI commented Feb 27, 2026
edited
Loading

Ports the v1 iOS certificate pinning test to the MASTG v2 structure, splitting it into focused, typed tests and extending the relevant knowledge article with a comprehensive Certificate Pinning section.

Knowledge (MASTG-KNOW-0072)

Added a Certificate Pinning section covering all iOS pinning surfaces:

  • ATS via NSPinnedDomains — recommended declarative approach with Info.plist XML example, including NSPinnedCAIdentities / NSPinnedLeafIdentities, backup pin and rotation caveats
  • Manual URLSessionDelegate trust evaluation — common pitfalls (unconditional useCredential, missing cancelAuthenticationChallenge)
  • Third-party libraries — TrustKit, Alamofire (PublicKeysTrustEvaluator), AFNetworking (AFSecurityPolicy)
  • WebViewsWKNavigationDelegate coverage gaps for sub-resource loads
  • Native codeSecTrust / Network framework
  • Cross-platform frameworks — Flutter (BoringSSL bypasses ATS), React Native, Cordova

New v2 Tests (fake IDs pending merge)

ID Title Type Weakness
MASTG-TEST-0x01 Missing Certificate Pinning in ATS static MASWE-0047
MASTG-TEST-0x02 Expired Certificate Pins in ATS static MASWE-0047
MASTG-TEST-0x03 Runtime Use of Certificate Pinning APIs dynamic MASWE-0047
MASTG-TEST-0x04 Missing Certificate Pinning in Network Traffic network MASWE-0047

MASTG-TEST-0x02 covers third-party library expiration keys (e.g., TrustKit's kTSKExpirationDate in Info.plist), since NSPinnedDomains itself has no expiration support.

MASTG-TEST-0x03 references MASTG-TECH-0064 (bypass/identify hooked APIs) and MASTG-TECH-0086 (method tracing) for surfacing pinning delegates at runtime.

New v2 Demos (fake IDs pending merge)

ID Title Type Status
MASTG-DEMO-0x01 Missing Certificate Pinning in ATS static, fail
MASTG-DEMO-0x02 Expired Certificate Pins in ATS static, fail
MASTG-DEMO-0x03 Runtime Use of Certificate Pinning APIs dynamic, fail draft
MASTG-DEMO-0x04 Missing Certificate Pinning in Network Traffic network, fail draft

MASTG-DEMO-0x01: Shows an Info.plist without NSPinnedDomains. The run.sh uses plutil/jq/gron to search for the key and produces an empty output.txt, confirming no pins are configured.

MASTG-DEMO-0x02: Shows a TrustKit TSKConfiguration with TSKExpirationDate = 2020-01-01. The run.sh extracts the date, and the evaluation confirms it is in the past.

MASTG-DEMO-0x03 (status: draft): Shows a URLSessionDelegate implementation that accepts any server credential unconditionally. Includes frida-trace and objection steps for method tracing.

MASTG-DEMO-0x04 (status: draft): Describes the MITM proxy interception scenario for an app with no pinning configured.

Best Practice

Added MASTG-BEST-0032 — iOS certificate pinning recommendation favoring NSPinnedDomains, with guidance on CA vs. leaf pinning, backup pins, rotation strategy, and bypass risk.

Deprecation

MASTG-TEST-0068 marked status: deprecated, covered_by: [MASTG-TEST-0x01..0x04].

Original prompt

This section details on the original issue you should resolve

<issue_title>MASTG v1->v2 MASTG-TEST-0068: Testing Custom Certificate Stores and Certificate Pinning (ios)</issue_title>
<issue_description>
Create a new MASTG v2 test covering for":

Follow the guidelines

Additional notes for the implementation

  1. Extend MASTG-KNOW-0072 with a "Certificate Pinning" section

  2. Port the existing test MASTG-TEST-0068 to the new v2 which would surely imply splitting it into separate ones, e.g.

    • Missing Certificate Pinning in ATS (static)
    • Expired Certificate Pins in ATS (static)
    • Runtime Use of Certificate Pinning APIs (dynamic)
      • Using Frida hooks to trace the APIs, which can be supported by MASTG-TECH-0064 to quickly identify APIs as the original test suggests
    • Missing Certificate Pinning in Network Traffic (network)

</issue_description>

<agent_instructions>Ensure to use "fake IDs" like MASTG-TEST-0x01, MASTG-TEST-0x02 or MASTG-DEMO-0x01 instead of the ones that would correspond. We do this because it avoids conflicts until the moment that we merge the PR.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@cpholguera Although we may look at certificate transparency next. For now, it's important to port the tests to the new v2 structure. Despite any recommendations, the detection of pinning or lack thereof is still required for the MASTG and needs to be up to date.

We recently merged a PR for the Android counterpart, and I'd like to follow the same approach here. See the issue description, I've now updated it to reflect this.

If you'd like to give it a try, please do so. Let me know so I can assign it to you.</comment_new>
<comment_new>@cpholguera
No problem, thanks for the heads up @sydseter </comment_new>

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@cpholguera
Port MASTG-TEST-0068 iOS certificate pinning to v2 format
16cd903 
Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
Copilot AI changed the title [WIP] Create new MASTG v2 test for custom certificate stores and pinning Port MASTG-TEST-0068 (iOS Certificate Pinning) to v2 Feb 27, 2026
@cpholguera
Copy link
Collaborator

cpholguera commented Feb 27, 2026

@copilot please also add the corresponding MASTG-DEMOs with fake IDs as well

@cpholguera
Add MASTG-DEMOs for iOS certificate pinning tests (0x01-0x04)
0d0a083 
Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 27, 2026

@copilot please also add the corresponding MASTG-DEMOs with fake IDs as well

Added four demos in commit 0d0a083:

  • MASTG-DEMO-0x01 — Missing Certificate Pinning in ATS (static, fail): shows an Info.plist without NSPinnedDomains; run.sh greps for the key and produces an empty output.txt, confirming it's absent.
  • MASTG-DEMO-0x02 — Expired Certificate Pins in ATS (static, fail): shows a TrustKit TSKConfiguration with TSKExpirationDate = 2020-01-01; run.sh extracts the date.
  • MASTG-DEMO-0x03 — Runtime Use of Certificate Pinning APIs (dynamic, fail, status: draft): shows a URLSessionDelegate that accepts any credential unconditionally; includes frida-trace and objection steps.
  • MASTG-DEMO-0x04 — Missing Certificate Pinning in Network Traffic (network, fail, status: draft): describes the MITM proxy interception scenario.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@cpholguera cpholguera

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MASTG v1->v2 MASTG-TEST-0068: Testing Custom Certificate Stores and Certificate Pinning (ios)

2 participants

@cpholguera