Has your cybersecurity been compromised?





We respect your privacy, and we hate spam as much as you. Which is why we will never share your email address with anyone.

Enquire Now

Enhancing Mobile App Security with SSL Pinning

By Mukhtar Serikbayev, Specialist Offensive Cybersecurity Consultant, Help AG  |  Posted Tuesday, 23rd July 2019

SSL is today the industry standard for ensuring mobile apps can transmit data in a secure manner. However, without a key step, it’s still possible for cyber criminals to snoop on these data connections. So let’s take a look at this key step – called SSL pinning – and how it can help you design and deliver more secure mobile applications.

When mobile applications communicate with a server, they typically use SSL to protect the transmitted data against eavesdropping and tampering. By default, SSL implementations used in apps trust any server that uses a certificate that is trusted by the operating system’s trust store. This store is a list of certificate authorities that is shipped with the operating system

With SSL pinning, however, the application is configured to reject all but one or a few predefined certificates. So, when this is utilized, whenever the application connects to a server, it compares the server certificate with the pinned certificate(s). If and only if they match, the server is considered as trusted and the SSL connection is established.

The Need for SSL Pinning

The main reason to use this technique is to ensure that your users’ data is better protected from man-in-the-middle attacks. Enabling certificate pinning prevents exploits commonly used back attackers. For example, if the hacker was trying to use a proxy to read the request’s data, then the client’s connection will fail and you would be able to notify your users that there might be a security issue.

Furthermore, using certificate pinning also protects your applications from someone who is trying to tamper with it. Certificate pinning helps developers fight some of this fraudulent behavior by preventing attackers from viewing and manipulating the data that is sent to servers.

What exactly should you store/pin?

  • Pin the certificate
  • Pin the public key (SPKI)

However, as with all other security measures, SSL Pinning is not a silver bullet and it won’t protect your users against local attacks. Neither will it be able to stop reverse engineering attacks, so Frida, Xposed modules to unpin, debugging, and repackaging all work. And it’s also worth noting that this security step won’t help if the device is rooted/jailbroken. Furthermore, it can be an operational headache and must be designed carefully. So it isn’t necessarily recommended for everyone.

That said, SSL pinning is certainly an important security enhancement – and if relevant, it’s one that must be implemented with care.

RELATED POSTS

TOP MIDDLE EAST CYBER THREATS- 3 DECEMBER 2018

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a…

Read More

APPLIED SECURITY RESEARCH, AND WHY WE SHOULD DO

Let me first of all start off by confirming that we are all under attack – Even if you do not think that is the case, or you…

Read More

Post-Event Report: Help AG Security Spotlight Forum, March

As the region’s trusted security advisor, Help AG plays an ongoing role in raising awareness about the latest cyber security trends in the Middle East. Our Security Spotlight…

Read More

Back to Top