SSL Pinning

SSL (Secure Socket Layer) Certificate Pinning, or SSL pinning for short, is the process of associating a host with its certificate or public key.

In other words, you configure the app to reject/accept a few predefined certificates or public keys. Whenever the app connects to a server, it compares the server certificate with the pinned certificate(s) or public key(s). If and only if they match, the app trusts the server and establishes the connection.

We usually add a server certificate or public key at development time. In other words, mobile app should include the digital certificate or the public key within app’s bundle. This is the preferred method since an attacker cannot taint the pin.

What is an SSL/TLS Certificate?

Secure Socket Layer (SSL) and Transport Layer Security (TLS) ensure encrypted communication over the internet – specified as HTTPS.

The security factors of SSL are based on the security certificates’ “Chain of Trust.” When a sender sends a message, the client checks the server’s SSL certificate to confirm whether Trusted CA issues the certificate.

SSL certificate?combines symmetric and asymmetric cryptography to establish a secure connection between the client and server. The server uses its SSL/TLS certificate to authenticate to the client, containing the server’s public key and other identifying information. The client then generates a symmetric key to encrypt data that will be exchanged with the server.

During the SSL/TLS handshake, the client and server agree on a cipher suite for encrypted communication. Once the handshake is complete, the client and server can exchange encrypted data.

SSL handshake working

Man-In-The-Middle Attack

Despite the security provided by?SSL/TLS, it is still vulnerable to attacks, particularly man-in-the-middle (MITM) attacks. In a MITM attack, an attacker intercepts communication between a web client and a web server, allowing them to eavesdrop on the conversation or even modify the data being exchanged.

In this digital eavesdropping, cybercriminals enter as a proxy and begin communicating between two parties. None of them knows that a third person is between them, who can communicate, change, or remove communication based on their intention.

Why Do You Need SSL Certificate Pinning?

When the app tries to establish a connection to a server, it doesn’t determine which certificates to trust and which not to. The app relies entirely on the certificates that the iOS Trust Store provides or Android CA’s provide by Google.

This method has a weakness, however: An attacker can generate a self-signed certificate and include it in the iOS/Android Trust Store or hack a root CA certificate. This allows such an attacker to set up a man-in-the-middle attack and capture the transmitted data moving to and from your app.

Restricting the set of trusted certificates through pinning prevents attackers from analyzing the functionality of the app and the way it communicates with the server.

?

Types of SSL Certificate Pinning

If you want to implement pinning you can decide between two options:

• Pin the certificate: You can download the server’s certificate and bundle it into your app. At runtime, the app compares the server’s certificate to the one you’ve embedded.
• Pin the public key: You can retrieve the certificate’s public key and include it in your code as a string. At runtime, the app compares the certificate’s public key to the one hard-coded in your code.

Choosing between these two options depends on your needs and server configuration. If you choose the first option, you need to release a new version of your app when your server rotates (changes) its certificate or it will stop working. If you choose the second option, it may violate the key rotation policy because the public key doesn’t change.

?

How Does SSL Pinning Work?

Here is a step-by-step process of how SSL pinning works:

• The client (such as a mobile app) establishes an SSL/TLS connection with the server.
• The server sends its public key, which is used to encrypt the data exchanged between the client and the server.
• The client verifies the server’s identity by checking the server’s digital certificate issued by a trusted Certificate Authority (CA).
• With SSL pinning, the client also checks that the server’s public key matches the hard-coded public key into the client’s code or configuration. If the public keys match, the connection is allowed to proceed.
• If the server’s public key does not match the pinned key, the client assumes that a MITM attack is underway and terminates the connection. This prevents any communication from being intercepted and tampered with.
• If the client needs to update the pinned public key, the app must be updated with a new pinned key.