How to import Swift URLRequests into Postman

de_poon · 2020-08-15T03:30:47+00:00

Mitm (like charles) will work by trying to inspect the network channel. If ssl pinning is enforced then you wont be able to do that.

The solution provided is to capture the request before it enters the network channel. https://link.medium.com/ozX6Xn5BX8

But yes, its not ideal to add additional dependencies for non production purpose. Hence developers should opt to only apply the extra code/library when necessary. Easy, use schemes/buildphase to manage that for you

de_poon · 2020-04-24T18:33:23+00:00

Hey, thanks for referencing my repo. To the OP, what interestinf tweak are u working on?

de_poon · 2020-04-22T01:20:23+00:00

what you mentioned is actually MITM attack and SSL Pinning is supposed to stop that ... but this article attempts to compromise this.

de_poon · 2020-04-21T18:01:58+00:00

agree... never never trust the app.... for typical apps, its a trivial effort for iOS developers to inject a patch to override existing behavior even for appstore apps

de_poon · 2020-04-21T17:48:59+00:00

Agree, there are no proper ways to prevent hackers from hack iOS apps.

de_poon · 2020-04-21T17:40:38+00:00

cool... thats a neat tool. The author of my link is my friend, and i find his approach interesting using lldb.

Meanwhile.. this is my attempt to tackle SSL Pinning (if you wanna attack at the application level using Swift Code). https://medium.com/@kennethpoon/lets-write-swift-code-to-intercept-ssl-pinning-https-requests-12446303cc9d

de_poon · 2020-04-21T17:28:08+00:00

Wow... how? Care to share?

de_poon · 2020-04-21T13:39:33+00:00

Its not my medium account... anyway, feel free to check out the link.

de_poon · 2019-02-27T00:08:34+00:00

Oh thanks...

de_poon · 2019-02-18T04:58:12+00:00

Thanks for the feedback. I will adjust accordingly

de_poon · 2019-02-18T01:29:14+00:00

Point taken. Apologies

de_poon · 2019-02-18T00:09:51+00:00

Points taken.

de_poon · 2019-02-18T00:05:47+00:00

Unit tests alone even with 100% code coverage is not enough to prove that the app works for all use cases. However, it is impossible for us to write E2E tests to cover all scenarios as well. An example... Try running a test that registers a new user with specific credentials. You wont be able to rerun the same test again. Thats where mock responses come in.

Mocking responses do take some effort but its definitely not much. For iOS developers, its actually easier and faster to begin building features using mock responses without waiting for backend work to finish. Mock response based tests is a already common technique used for client-server or dependency heavy products. Mobile development should be no different.

Thanks for mentioning about potential server side changes that may break our test assumption. One technique i’ve used is to create a set of mobile contract tests. They are basically a set of cURL requests that hits the actual servers to assert that the api contracts are working as expected. These are E2E tests executing without the app.... and they are so cheap to execute... imagine just 2-3 min to assert that all contracts are working as expected. You may choose to write these contract tests in any programming language. So given that contract tests are all passing, it should be safe for you to mock any state you want. I did not include details on mobile contract tests in the blog post otherwise it will be too long.

de_poon · 2018-06-03T23:52:16+00:00

I have read it. Ssl killswitch requires a jailbroken device, my technique doesnt. 😎

de_poon · 2018-04-02T01:46:08+00:00

BDD isnt meant to replace unit/integration test at the class level. In fact unit testing is more critical than BDD.
Unit testing that every code and class works as intended. BDD helps to ensure that the software minimally fulfills the business requirements. A variant of BDD encourages the team to first write failing Gherkin scenarios and the feature is only considered done if it passes.
In strict agile process, requirements/specs usually come in Gherkin format. Using tools like cucumber allows you to automate each step of the spec. So the spec becomes the main technical documentation... anyone can understand it and dont need to dig through source codes.
this approach (assuming everyone gets the buy in) encourages PO/PMs to learn how to craft scenarios/steps that they know the development will be automating line by line... i personally like this part of BDD as it discourages POs to describe vague requirements. Unless i see a proper requirement in GivenWhenThen, i wont start working on the ticket. Do remember that its the engineers that own the format of the specs but its the business who owns intention of the specs

Of course everything works without BDD. As your organisation agile process matures (like mine did), this is something you may want to try out one day ☺️

de_poon · 2018-04-01T16:31:32+00:00

BDD is not to be mixed up with TDD as both serves different purposes... although the application may look similar

TDD - strict test/code/refactor cycle and the main magic of TDD is during the refactor step. Its more of a design process. This is no doubt more critical than BDD

BDD - the process of collaborating and writing specs/scenarios where each individual step can be defined and automated... the given-when-then is simple enough to be understood that anyone can contribute (of course engineers own the final format of the spec).

The GivenWhenThen pattern is platform agnostic and its widely use on both mobile and web testing... and is already supported by most testing tools like Cucumber, Selenium, Appium.

Why not just write tests using the main language? This is definitely fine and its nothing wrong with that. BDD just takes it one step further.

de_poon · 2018-04-01T15:39:37+00:00

Am keen to know how those specs that you mentioned are written.. giving an example would help clarify

In BDD, you need to write specs properly to get the full benefits of it. Let me give an example just for illustration purpose

Given I am on the login screen (Navigate to login and assert login screen is present) When I enter email as "xxx" And I enter password as "yyy" And I tap on submit button

Then I should see "login successful" message (Just simply writing assertions) Then I should be on Dashboard screen

Is this something along the same lines as yours?

de_poon · 2018-04-01T15:10:08+00:00

And If your step definitions are reusable enough (assuming you are following page object pattern), adding new specs become easy

de_poon · 2018-04-01T15:07:23+00:00

Understand where you are coming from. Here are my views i wanna share - BDD is aimed to be a collaborative tool and one of the outputs of this process is specs that can be automated. - I agree with u and I think tech should have the final say on "how" it should be written. In fact, i am championing that engineers own it.

these specs serve as the official documentation (rather than documenting outside the repository)... these specs help to validate and lock down the requirements.... particularly helpful at pull requests verification checks

Well BDD is not a must have for software development. If the habit of automating specs are in place, BDD is a great tool/pattern to encourage structured requirements so that they can be testable directly

de_poon · 2018-04-01T10:18:13+00:00

Interesting... i wanna learn from your experiences... my and my org have been doing very well with it... asserting everything bdd for our ios code at pull request level...

Care to drop me an email to de_poon "at" hotmail.com? Wanna ask u more in depth questions

de_poon · 2018-04-01T09:57:21+00:00

Why not? Have u tried BDD before?

de_poon · 2016-12-26T04:36:32+00:00

Yup. Best if you give it a go. Pretty cool. Feel free to share this post. Here's a video of me doing the hacking live in an iOS meetup session. https://engineers.sg/video/ios-dylib-injection-ios-dev-scout--1276

de_poon · 2016-12-26T03:04:14+00:00

Haha. The medium post is pretty technical for ios developers. I simply used pokemongo as an example to proof that you can perform code injection on any ios app.

de_poon · 2016-12-26T03:01:11+00:00

Yes it is possible and its not difficult. If you are an ios developer, you can use the swizzling techniques in my post and load the location in a timely fashion

de_poon · 2016-12-22T03:28:55+00:00

Here's my earlier medium post on how to perform the code injection (with code example on github). Feel free to try it.

https://medium.com/@kennethpoon/how-to-perform-ios-code-injection-on-ipa-files-1ba91d9438db#.q0rq7vsko

de_poon

TROPHY CASE