Certificate pinning on iOS simulators with iostrust

03.02.2016 Update: iostrust seems to be broken for Xcode 7. I’m currently trying a new approach to fix this issue.

The other day, I published a post on some issues we had regarding certificate pinning and the TLS cache. While the calabash tests were executed, a new issue appears.

We have several backends to speak with. Each uses a SSL certificate, not necessarily a certificate signed by a root CA trusted by iOS.

As explained on the web, it is not a big deal to add a certificate as a trusted one on the simulators: simply drag and drop the concerned certificate on the simulator window.

Our calabash test sequences need to work with fresh new simulators and automatically reset them before starting. By resetting them, we loose all the previous work we did to add the trusted certificates.

I started looking if there was another way to automate the process.

By having used Charles Proxy in the past, I remembered that using the SSL proxying option required that you install a certificate generated by Charles as a trusted one on the simulator. I also remembered that Charles was able to handle it alone.

After looking within the Mac Ox X bundle of the app, I noticed a bash script with an interesting name: install-charles-ca-cert-for-iphone-simulator.sh.

By reading it, I understood that the trusted certificates are stored in a sqlite3 database somewhere in the simulator’s directories.

By Googling a little bit, I discover the ADVTrustStore github repository. It contains a script helping you to install certificates from the command line and a wonderful description on how are trusted certificates handled within the simulators.

I wanted to use the python script, but it does not import a certificate directly on all the simulators, it asks for each simulator it founds if you want to install it :(

Based on this work and the documentation provided, I wrote a gem that automates all the process.

To install it:

$ gem install iostrust

If you want to install a certificate as a trusted one, symply run:

$ iostrust add ./my_cert.cer

Now you have no excuse to avoid certificate pinning :)