Securing Mobile Applications with Cert Pinning

Securing Mobile Applications with Cert Pinning

Cert Pinning is a security process wherein a web application developer clearly defines specific certificates, to secure communications made by a mobile user, while using an application. It is essential to protect and defend the connection made from the request to the backend server, and this is where encryption security and HTTPS comes in the picture.

HTTPS or TLS/SSL has the two best positives:

• Encryption of communication to prevent cyber-criminals from accessing data
• Avoidance of Man-In-Middle Attack (MITM) by verifying that the application is communicating with a genuine backend server and not an infected server rooted by a hijacker to fulfill his evil intentions.

The mobile application is a step ahead of the web browser because it knows which server to approach and communicate, whereas a browser may use any server for its access. Hence Certificate Pinning is essential for securing an app and for user data privacy while accessing the app. 

In short, TLS pinning provides security to two communicating bodies, i.e., mobile app and backend application program interface (API). You may have noticed that while doing mobile app testing, you come across many apps that are vulnerable to MITM attacks. 

What is Man-In-The-Middle Attack?

We all are aware that mobile apps are linked to backend servers and systems and need secure communications for user privacy. MITM attacks are when a hacker tries to find a loophole in this secure network communication and tries to be the Man-in-the-middle to communicate between the user’s mobile app and backend server for their malicious intentions. These attacks are dangerous because, here, the MITM can read, alter, or misuse the data between 2 communicating parties.

Hackers also try varied ways to grab information. Different types of MITM attacks keep web developers engaged, forcing them to use diverse techniques for app protection. A few coding techniques need to be implemented for safeguarding the apps as per user satisfaction.

How an MITM attack is made on mobile apps?

In digital eavesdropping, attackers enter as a proxy and start communicating between 2 parties or systems. Neither of the parties is aware that a third person is communicating with them, who is changing or removing communications as per his wishes. 

Attackers So, when the web developers of the app are unable to detect threats at an early stage, these apps become vulnerable to MITM attacks. Example: If you are using a shopping app for the purchase of the product, your credit card numbers are likely to be misused.

MITM attack sniffs the confidential information between two apps, and a malicious attacker can get access to mobile data passing between two apps.

It has also been noticed that many third-party apps don’t follow security protocol, and though TLS pinning is adhered to by some developers, the app download and installation process is still an open entry for these fraudsters. They sometimes replace or remove the certificate, causing MITM attacks, and here, certificate pinning plays its role.

What is certificate pinning?

TLS certificate pinning pins the trustworthy certificate on the mobile app and rejects unknown documents received from suspicious servers. The app only relies on its own stored certificate and ignore the device’s trust store’s license. Moreover, it only allows HTTPS/SSL connections to hostnames that are signed with documents stored in the application.

This, in turn, protects sensitive information passed by the user from the mobile app. For example, when making an SSL connection, the client checks only the server’s certificate’ chain of trust and certificate’s requested hostnames. However, it does not check the certificate’s same name; you know that a server uses it. Thus, it creates a security hole as the device store’s license can be hijacked, and the user can unknowingly install the risky certificate. This situation leads to a MITM attack.

Certificate pinning or public key pinning prevents communication from those servers who present self-signed certificates for different hostnames, too, for strong HTTPS security. Since the hostname is associated with a public key, both validations i.e., certificate validation and hostname validation are done, to successfully prevent MITM attacks.

Even if users are tricked into installing a compromised certificate on their mobile, pinning refuses to transmit data in such circumstances, thus keeping your data secure. Correct pinning made by Android and IOS developers decreases the risk of information leak and acts as a countermeasure against such attacks.

When is the certificate pinning done?

Certificate pinning is linked to the destination hostname for creating trust amongst users. Web developers do cert pinning at the time of development of app on the smartphone, in the mobile app. Cert pinning done at a later stage is of no use because it increases the chance of proxy user and fraud. 

Validation of certificate from a trustworthy root CA (Certificate Authority) and appropriate timing of pining directly into the mobile app, helps prevent MITM attacks. 

Why is certificate pinning needed?

Android and IOS gadgets have a list of trusted root CA’s which are pre-installed by the creator, but system CAs are always more trustworthy than user CAs.

Apps verify from this creator’s list to check whether the certificate displayed by the server is trustworthy or not. An app can accept any document issued by CA and is matching the hostname if certificate pinning is not done. Chances of receiving a compromised certificate increase in such cases, and so does the risk of losing out on sensitive information to eavesdroppers. Even server certificate validation (checking of hostname and expiry date) is essential to prevent TLS handshake.

Advantages:

• Reduces threat of a rogue CA
• Increase in-app data security and user privacy
• Budget-friendly
• Hackers need to increase resource cost to attack mobile app 
• Reduces exposure of eavesdropping and user device malware
• Reports MITM attacks and analyses them

Disadvantages:

• Complex process because you need to re-write codes 
• Less flexibility
• Tedious because you need to update the app binary on every certificate change

How to take care of cert pinning error?

Any cert pinning error faced by a mobile app can be resolved in 2 ways:

• SoftFail: Allow the app to connect with the server and log the verification failure in the system
• HardFail: Stop the app from connecting with the server; though it may impact user experience, it is a more secure way.

Types of Certificate Pinning:

There are three types of the certificate which provide different levels of security depending on your selection choice.

1.    Leaf Certificate: 

Leaf certificate (server certificates, email certificates, code signing certificates) or an end-entity certificate, which does not sign other documents. Their expiry time is less, and pinning to a leaf certificate guarantees that this certificate and chain is 100% valid even if the root certificate is compromised.

2.    Intermediate Certificate:

Pinning to an intermediate certificate means that you trust your intermediate CA to issue a valid license for your server. It can sign other documents too. If the CA is the same, changes made in the leaf certificate will work without updating the app.

3.    Root Certificate:

This trust anchor, as it is rightly said, is a self-signed certificate as well as can be used to sign other documents. Here you trust the root CA and intermediaries for providing genuine documents. If the CA is compromised, it’s a sign of danger. Hence, it’s essential to have a strong certificate validation.

Pinning against multiple levels improve app security as more certificate issuers protect it.

How does cert pinning work on Android?

Decide what you want to pin, your certificate, or your public key. It’s always advisable to pin the public key/SubjectPublicKeyInfo (SPKI) instead of pinning the certificate or hash, because it is easier to manage, even after expiry of certificate since public keys remain unchanged.

Web developers have introduced a few manual methods that include hashes of certificates’ public keys and their backup keys in res/xml/network_security_config.xml to install certificate pinning on Android Apps. Backup keys are also useful in maintaining app usage in case of certificate change or a critical change. 

The below extract is taken from the android developer site displays the code for network_security_config.xml file.

Though you can configure expiry date by using <pin-set expiration=” 2018–12–17″>, remember that post expiry date, you accept insecure connections if you don't upgrade your app.

Essential steps in the pinning process are:

• Get a certificate for the desired host (the whole certificate chain is preferred)
• Ensure that the document is in .bks format – this is important for proper pinning across all devices
• Use the Apache HTTP client shipped with Android.

How does Cert Pinning work on IOS?

Certificate pinning for iOS can be established through “NSURLConnectionDelegate” with the help of “NSURLConnection.”

AlamoFire and AFNetworking are third party libraries that help to add certificate pinning to mobile apps in a simple way. The methods for both slightly different, and so do the codes used for pinning one certificate.

Let's check out the codes used to pin specific types of certificates like “cer” by AfNetworking. The below-mentioned codes show the < system>init</code> method to ensure that the app rejects all other certs apart from the one pinned.

Since multiple certificates can be pinned using the above method, it is beneficial when mobile apps are located on various servers, and they present multiple documents.

It’s also important to keep regular checks on your third-party libraries and update them to the recent version of TLS for all mobile app communications.

How to test Cert Pinning is adequately implemented?

The reason why cert pinning is needed is the answer to your testing strategy. That’s why execution of fake MITM attack using proxy against mobile app cert pinning, is the best way for testing and proper implementation. Any compromised cert linked to the mobile app, improper coding of cert pinning, etc. can be immediately noticed in the testing method.

If you wish to do the testing yourself, any network proxy tool like Fiddler or Burp Suite can be used to intercept mobile app communications. Install this proxy tool as a trusted root CA to block traffic on your mobile device that runs the app. 

This proxy installed as root CA acts as MITM, which can intercept, read, alter or decrypt, encrypted communications have done between a mobile device, mobile app, and backend servers. If this proxy can intercept network traffic during the testing phase, there are chances that your certificate pinning is not enabled. 

If you still have confidence about proper implementation, you need to dig deeply into the app source code to get hold of the problem. You can take the help of expert security analysts who can do this testing successfully.

You can also take the help of dynamic analysis tools (DAST) for running a test on MITM attacks. Many automated security testing plugins CD platforms also help in continuous security testing for cert pinning.

Conclusion:

Security against cyber-criminals is always preferred, be it single layer SSL certificate encryption security or double-layer SSL pinning for server verification and sensitive app protection. 

SSL pinning forces the app to accept only those connections which are saved in the designated server, thus preventing MITM and cyber-attacks. It is mandatory that all network communications are encrypted to keep conversation secure, and hence cert pinning should be at utmost priority. Though this tedious and complicated process is lengthy, it is worth the effort since it works brilliantly in mobile security and app data protection.

Alicia Newman

Alicia leads content strategy for LearnWorthy managing a team of content producers, strategists, and copywriters. She creatively oversees content programs, awareness campaigns, research reports, and other integrated marketing projects.