First, prevent the mobile phone set up agent to capture packets
With the help of CFNetwork, the application enters the foreground from the background to detect whether the agent is set. If the agent is set, the pop-up prompt will be given
+ (BOOL)getProxyStatus {
NSDictionary *proxySettings = NSMakeCollectable([(NSDictionary *)CFNetworkCopySystemProxySettings() autorelease]);
NSArray *proxies = NSMakeCollectable([(NSArray *)CFNetworkCopyProxiesForURL((CFURLRef) [NSURL URLWithString:@"http://www.baidu.com"], (CFDictionaryRef)proxySettings) autorelease]);
NSDictionary *settings = [proxies objectAtIndex:0];
NSLog(@"host=%@", [settings objectForKey:(NSString *)kCFProxyHostNameKey]);
NSLog(@"port=%@", [settings objectForKey:(NSString *)kCFProxyPortNumberKey]);
NSLog(@"type=%@", [settings objectForKey:(NSString *)kCFProxyTypeKey]);
if ([[settings objectForKey:(NSString *)kCFProxyTypeKey] isEqualToString:@"kCFProxyTypeNone"])
{
// No proxy is set
return NO;
}
else
{
// The proxy is set
return YES; }}Copy the codeIn addition, for autorelease, if ARC is set for the project, you can set the corresponding non-ARC file in Target- "Build Phase-" Compile Source, and change the Compiler Flag to -fno-objc-arc.Copy the codeSSL Pinning (AFN+SSL Pinning
** Set up different pinning mode ** if you take account of certificate validity
SSL Pinning, SSL certificate binding. The SSL certificate is bound to verify the server identity to prevent packet capture.
1. Obtain the certificate
The client requires a certificate file in. Cer format. You can ask for it from the server. If they give a. Pem file, use the command line conversion:
openssl x509 -inform PEM -in name.pem -outform DER -out name.cer
Copy the codeIf given a.crt file, convert it like this:
openssl x509 -in name.crt -out name.cer -outform der
Copy the codeIf nothing else, you’ll have to do it yourself:
openssl s_client -connect www.website.com:443 </dev/null 2>/dev/null | openssl x509 -outform DER > myWebsite.cer**
Copy the code2. Add certificates to the program
Drag the generated. Cer certificate file directly into the relevant folder of your project. Check Copy items if neede and Add to Targets.
3. Meaning of parameter names
AFSecurityPolicy SSLPinningMode AFSecurityPolicy is a network communication security policy module in AFNetworking. It offers three SSL Pinning modes]
SSL Pinning Modes
AFSSLPinningModeNone: Fully trusts the server certificate; AFSSLPinningModePublicKey: just compare the server certificate and the certificate of local Public Key are consistent, if the trust server certificate will be inconsistent; AFSSLPinningModeCertificate: comparing all of the server certificate and the certificate of local content, the same trust server certificate;Copy the codeWhich model to choose?
AFSSLPinningModeCertificate: the safest mode. However, it is also troublesome, because the certificate is packaged in the APP. If the server certificate changes or expires, the old version can no longer be used, we need users to update the APP to use the latest certificate. AFSSLPinningModePublicKey: just compare the certificate of Public Key, as long as there is no change in Public Key certificate of the other changes will not affect use. If you cannot guarantee that your users to always use the latest version of your APP, so we use AFSSLPinningModePublicKey.Copy the codeSet up SLL Pinning using AFSecurityPolicy
+ (AFHTTPSessionManager *)manager
{
static AFHTTPSessionManager *manager = nil;
static dispatch_once_t onceToken;
dispatch_once(&onceToken, ^{
NSURLSessionConfiguration *config = [NSURLSessionConfiguration defaultSessionConfiguration];
manager = [[AFHTTPSessionManager alloc] initWithSessionConfiguration:config];
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey withPinnedCertificates:[AFSecurityPolicy certificatesInBundle:[NSBundle mainBundle]]];
manager.securityPolicy = securityPolicy;
});
return manager;
}
Copy the code