iOS 防止charles抓包
方案一:檢查手機Wifi是否設(shè)置了代理
public func fetchHttpProxy() -> Bool {
guard let proxy = CFNetworkCopySystemProxySettings()?.takeUnretainedValue() else { return false }
guard let dict = proxy as? [String: Any] else { return false }
guard let HTTPProxy = dict["HTTPProxy"] as? String else { return false }
if(HTTPProxy.count>0){
return true;
}
return false;
}
1.以場景接口為例,設(shè)置了代理檢測,手機開啟代理,存在代理就直接返回,請求失敗。
func getSelectedFamilyDeviceSomeInfo(parameters : Any?, succeed : @escaping([String : Any]?) -> (), failure : @escaping(Error?) -> ()) {
let requestUrl:String = SEVER_URL.appending("/developStage/devicegroup/v2/group/someInfo").addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed)!
print(parameters ?? "")
NSLog("RequestUrl : "+requestUrl)
if self.fetchHttpProxy() {
print("++++++++++++設(shè)置了代理,不讓請求=======")
failure("設(shè)置了代理" as? Error)
return
}else{
print("++++++++++++沒設(shè)置代理,自由請求=======")
}
// 成功閉包
let successBlock = { (task: URLSessionDataTask, responseObj: Any?) in
succeed(responseObj as? [String : Any])
}
// 失敗的閉包
let failureBlock = { (task: URLSessionDataTask?, error: Error) in
failure(error)
}
//accesstoken 加入請求頭
getAccessToken(success: {
self.setHttpHeaderBasicProperty()
self.post(requestUrl, parameters: parameters, progress: nil, success: successBlock, failure: failureBlock)
}) {
failure("Please sign in first" as? Error)
}
}
2.注釋代理檢測,請求正常,界面正常展示,能抓取到場景接口數(shù)據(jù)
方案二:對證書的驗證
1.客戶端需要證書(Certification file), .cer格式的文件。(找服務(wù)器要,有可能需要轉(zhuǎn)化證書格式)
2、把證書加進(jìn)項目中,把生成的.cer證書文件直接拖到你項目的相關(guān)文件夾中,記得勾選Copy items if neede和Add to targets。
3、參數(shù)名意思
AFSecurityPolicy
SSLPinningMode
AFSecurityPolicy是AFNetworking中網(wǎng)絡(luò)通信安全策略模塊。它提供三種SSL Pinning Mode
/**
## SSL Pinning Modes
The following constants are provided by `AFSSLPinningMode` as possible SSL pinning modes.
enum {
AFSSLPinningModeNone,
AFSSLPinningModePublicKey,
AFSSLPinningModeCertificate,
}
`AFSSLPinningModeNone`
Do not used pinned certificates to validate servers.
`AFSSLPinningModePublicKey`
Validate host certificates against public keys of pinned certificates.
`AFSSLPinningModeCertificate`
Validate host certificates against pinned certificates.
*/
AFSSLPinningModeNone:完全信任服務(wù)器證書;
AFSSLPinningModePublicKey:只比對服務(wù)器證書和本地證書的Public Key是否一致,如果一致則信任服務(wù)器證書;
AFSSLPinningModeCertificate:比對服務(wù)器證書和本地證書的所有內(nèi)容,完全一致則信任服務(wù)器證書;
選擇那種模式呢?
AFSSLPinningModeCertificate:最安全的比對模式。但是也比較麻煩,因為證書是打包在APP中,如果服務(wù)器證書改變或者到期,舊版本無法使用了,我們就需要用戶更新APP來使用最新的證書。
AFSSLPinningModePublicKey:只比對證書的Public Key,只要Public Key沒有改變,證書的其他變動都不會影響使用。
如果你不能保證你的用戶總是使用你的APP的最新版本,所以我們使用AFSSLPinningModePublicKey。
allowInvalidCertificates
|
1
2
3
4
|
/** Whether or not to trust servers with an invalid or expired SSL certificates. Defaults to `NO`. */@property (nonatomic, assign) BOOL allowInvalidCertificates; |
是否信任非法證書,默認(rèn)是NO。
validatesDomainName
|
1
2
3
4
|
/** Whether or not to validate the domain name in the certificate's CN field. Defaults to `YES`. */@property (nonatomic, assign) BOOL validatesDomainName; |
是否校驗證書中DomainName字段,它可能是IP,域名如*.google.com,默認(rèn)為YES,嚴(yán)格保證安全性。
4、使用AFSecurityPolicy設(shè)置SLL Pinning
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
+ (AFHTTPSessionManager *)manager{ static AFHTTPSessionManager *manager = nil; static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ NSURLSessionConfiguration *config = [NSURLSessionConfiguration defaultSessionConfiguration]; manager = [[AFHTTPSessionManager alloc] initWithSessionConfiguration:config]; AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey withPinnedCertificates:[AFSecurityPolicy certificatesInBundle:[NSBundle mainBundle]]]; manager.securityPolicy = securityPolicy; }); return manager;} |
浙公網(wǎng)安備 33010602011771號