What is certificate pinning?

Certificate pinning is a security technique that increases secure communication over the TLS (transport layer security) protocol, like HTTPS. It ties a chosen TLS certificate or public key exclusively to the API server, allowing the application to reliably confirm the server's identity each time it connects. During interactions, the server presents a digital certificate to prove its identity and secures the encryption of data sent through APIs between the client and server. By matching the server’s shown certificate against a predetermined or "pinned" certificate within the app, certificate pinning ensures an additional layer of security, preventing man-in-the-middle (MITM) attacks and ensuring server communication integrity.

Summary

Certificate pinning strengthens the trust relationship between an app and its designated server. By embedding a known, specific certificate or public key within the application, it can verify the server's identity with certainty, making it much harder for attackers to intercept or tamper with data. This method is especially crucial in protecting against MITM attacks, where an attacker could present a fraudulent certificate to impersonate the server. Through certificate pinning, applications can ensure that they communicate only with the legitimate server, safeguarding data integrity and confidentiality during TLS connections.

Deep dive

Certificate pinning plays an important role by establishing a trusted connection between an app and its server, mitigating the risk of man-in-the-middle (MITM) attacks. This is achieved by embedding a known, trusted certificate or public key within the app itself. When the app attempts to connect to the server, it verifies the server's certificate against the embedded one. If they match, the connection is trusted. Otherwise, it's blocked.

This method ensures that even if a malicious actor were to intercept the connection and present a valid certificate from a compromised or rogue Certification Authority (CA), the connection would not be trusted unless it matches the pinned certificate.

Here is how you can implement certificate pinning in a few steps:

  1. Obtain and store the server's certificate or public key: The first step in implementing certificate pinning involves obtaining the server's public key or entire certificate and then embedding this information directly into the app. This can be done during the app's development phase.
  2. Modify the app to validate the pinned certificate: The app's code must be modified to include a validation check that compares the server's presented certificate (or public key) during the TLS handshake process with the pinned certificate (or public key) stored within the app. If the certificates match, the connection is considered secure. If not, the app terminates the connection.
  3. Handling certificate updates: Since certificates have expiration dates, it's important to plan for updates to the pinned certificates. This can involve updating the app with the new certificate before the old one expires or implementing a mechanism to dynamically update the pinned certificate without needing to release a new version of the app.
  4. Testing: Rigorous testing is essential to ensure that the pinning implementation works as intended across various scenarios, including certificate renewals and potential attack simulations.

 

SSL certificate pinning vs TLS certificate pinning

The difference between transport layer security and secure sockets layer (SSL) is significant, although they are often used interchangeably. SSL is the predecessor to TLS, and both protocols provide encryption and data integrity between clients and servers over the internet. However, TLS offers stronger encryption algorithms and has become the standard for secure web communications. Certificate pinning can apply to both, but it's more commonly associated with TLS due to its widespread adoption and enhanced security features.

Certificate pinning vs OCSP stapling

Certificate pinning and Online Certificate Status Protocol (OCSP) stapling are security measures designed to enhance the security of TLS connections, but they serve different purposes and operate in distinct ways. OCSP stapling, a form of security stapling, allows a server to provide the client with the OCSP response showing that the server's certificate is valid. With this approach, MITM attacks are still possible because the CA that issued the certificate for the MITM attack could generate a valid OCSP response to staple to it. Nevertheless, the effectiveness of OCSP stapling is primarily against certificate revocation rather than impersonation or MITM where the attacker has a valid certificate.

On the other hand, certificate pinning involves hardcoding the certificate or public key of a server into an app or client. This means the app is configured to trust a specific certificate or public key. When the app connects to the server, it checks that the server's presented certificate or public key matches the hardcoded one. If they match, the connection proceeds. If not, the connection is terminated.

Both security measures offer different benefits. OCSP stapling improves privacy and performance in the certificate revocation checking process, while certificate pinning provides a robust defense against certain types of MITM attacks by establishing a predetermined trust with specific server certificates or public keys.

Android certificate pinning

Certificate pinning is implemented for Android apps to ensure that communications with servers remain secure. Android developers have various tools for this, like the Network Security Configuration feature, which allows specifying trusted certificates and domains in a configuration file or through code by using APIs that validate server certificates against pinned certificates. Developers can also use third-party libraries like OkHttp for enhanced pinning capabilities. Effective certificate management is crucial, as pinned certificates must be updated before expiration to maintain app functionality and security.

iOS certificate pinning

Certificate pinning on iOS is achieved by comparing the server's certificate or public key against one that’s preloaded into the app. iOS developers commonly implement pinning within URLSession delegate methods, ensuring that every server connection undergoes this critical security check. For added convenience and functionality, third-party libraries like Alamofire are available, simplifying pinning in Swift-based apps. However, iOS developers should proactively manage and update pinned certificates to address expiration, maintaining seamless and secure app operation.

Bypassing certificate pinning

One of the main challenges of certificate pinning is managing pinned certificates. If a certificate is updated or replaced and the app is not simultaneously updated to reflect this change, users could be locked out, disrupting the app's functionality. Moreover, skilled attackers have developed methods to bypass certificate pinning, exploiting weaknesses in the implementation or using tools designed for penetration testing to intercept and analyze encrypted traffic.

Techniques such as SSL stripping, where an attacker downgrades a secure HTTPS connection to an insecure HTTP connection, or using proxy tools to present forged certificates that appear valid, can sometimes evade pinning protections.

Furthermore, attackers may engage in reverse engineering the app, modifying it and repackaging it, or using dynamic attacks directly to circumvent certificate pinning. While obfuscation can offer a layer of security by making the code harder to analyze, encryption provides a stronger safeguard by ensuring that even if attackers access the code, the critical data remains inaccessible. However, neither obfuscation nor encryption is sufficient on their own against determined attackers. Implementing runtime protections is crucial to defend against manipulation and ensure the integrity of the app's operations.

The methods described above highlight the importance of implementing certificate pinning as part of a comprehensive security strategy. Such a strategy should include regular updates, regular monitoring for vulnerabilities, and additional security measures like app shielding, secure encryption, and runtime protections to guard against the evolving threat landscape.

Examples

  1. Banking and financial apps: These apps handle highly sensitive financial data, including account details and transaction history. Certificate pinning helps ensure that users communicate directly with the legitimate bank server, protecting against fraud and data theft.
  2. E-commerce apps: Since users enter payment information and personal details, certificate pinning is vital for preventing MITM attacks, ensuring secure transactions, and protecting user data.
  3. Enterprise apps are used by businesses to access proprietary and confidential company information remotely. Certificate pinning helps secure corporate data against interception or unauthorized access.

History

Certificate pinning emerged as a response to the increasing sophistication of cyber attacks, particularly MITM attacks, in which attackers could exploit the trust model of TLS by presenting forged certificates from compromised or less secure CAs. Its development aimed to mitigate such threats by allowing applications to enforce a stricter trust model than the traditional CA-based system.

Future

Certificate transparency can complement certificate pinning. By requiring that all certificates issued by CAs be logged in publicly accessible logs, Certificate Transparency helps detect mis-issued or malicious certificates quickly. This development provides an additional layer of security and transparency, helping mitigate some risks associated with compromised CAs.

And there are other measures beyond certificate pinning that can strengthen app security.

Promon's app shielding solution protects mobile apps from various attack vectors, including reverse engineering and tampering using multiple defense techniques:

  • Repackaging protection: Prevents attackers from modifying an app, repackaging it, and distributing the altered version.
  • Anti-debugging: Blocks attempts by attackers to debug the application, a common tactic used to understand app behavior or to find vulnerabilities.
  • Anti-emulator techniques: Stops attackers from running the app in an emulator environment, which is often used for malicious analysis.
  • Hooking detection: This feature detects and prevents hooking attacks, in which attackers insert custom code to intercept function calls or messages within the app.

These features safeguard the app's integrity and communication protocols, like certificate pinning, ensuring that sensitive data remains secure.

Encrypting data securely

  • Beyond certificate pinning, encrypting data such as API keys adds a vital layer of security. This prevents unauthorized access and misuse by ensuring that even if data is intercepted, it remains incomprehensible without the decryption key.
  • Facilitate secure encryption and storage of API keys and other sensitive assets. By encrypting these assets during the app shielding process and decrypting them only when needed at runtime, solutions like Promon Asset Protection minimize the risk of leakage or unauthorized access.

Mutual transport layer security (mTLS) extends the concept of TLS by requiring both the client (app) and the server (API) to authenticate each other before establishing a secure connection. This mutual authentication ensures that both parties are verified, significantly enhancing security. However, mTLS comes with its challenges:

  • Certificate validation issues: Ensuring the ongoing integrity and validity of certificates on both sides can be complex.
  • Single point of failure: If the private key on either side is compromised, the security of the entire communication channel can be jeopardized.
  • Certificate expiry and revocation: Managing the lifecycle of certificates, including renewal and revocation, requires diligent oversight to avoid security lapses.

App Attestation provides an added verification layer for apps communicating with multiple APIs

  • Solutions like Promon App Attestation validate an app's authenticity before allowing API connections, ensuring only legitimate apps access sensitive resources.
  • This verification thwarts unauthorized or compromised apps from exploiting the APIs, bolstering security even if an API is exposed as open.

By integrating App Attestation, organizations further secure their mobile applications and the APIs they interact with. This ensures that even if other security measures are bypassed, the integrity and authenticity of the app itself provide a formidable barrier against unauthorized access.

Collectively, app shielding, secure data encryption, mTLS, and app attestation constitute a multi-faceted defense strategy, significantly enhancing the security posture of mobile applications and their communications infrastructure.

 

Sources

  1. https://www.ssl.com/blogs/what-is-certificate-pinning/
  2. https://www.ssldragon.com/blog/certificate-pinning/
  3. https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html
  4. https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning
  5. https://developer.android.com/privacy-and-security/security-config
  6. https://certificate.transparency.dev/