Enhancing Mobile App Security with SSL Pinning
SSL is today the industry standard for ensuring mobile apps can transmit data in a secure manner. However, without a key step, it’s still possible for cyber criminals to snoop on these data connections. So let’s take a look at this key step – called SSL pinning – and how it can help you design and deliver more secure mobile applications.
When mobile applications communicate with a server, they typically use SSL to protect the transmitted data against eavesdropping and tampering. By default, SSL implementations used in apps trust any server that uses a certificate that is trusted by the operating system’s trust store. This store is a list of certificate authorities that is shipped with the operating system
With SSL pinning, however, the application is configured to reject all but one or a few predefined certificates. So, when this is utilized, whenever the application connects to a server, it compares the server certificate with the pinned certificate(s). If and only if they match, the server is considered as trusted and the SSL connection is established.
The Need for SSL Pinning
The main reason to use this technique is to ensure that your users’ data is better protected from man-in-the-middle attacks. Enabling certificate pinning prevents exploits commonly used back attackers. For example, if the hacker was trying to use a proxy to read the request’s data, then the client’s connection will fail and you would be able to notify your users that there might be a security issue.
Furthermore, using certificate pinning also protects your applications from someone who is trying to tamper with it. Certificate pinning helps developers fight some of this fraudulent behavior by preventing attackers from viewing and manipulating the data that is sent to servers.
What exactly should you store/pin?
- Pin the certificate
- Pin the public key (SPKI)
However, as with all other security measures, SSL Pinning is not a silver bullet and it won’t protect your users against local attacks. Neither will it be able to stop reverse engineering attacks, so Frida, Xposed modules to unpin, debugging, and repackaging all work. And it’s also worth noting that this security step won’t help if the device is rooted/jailbroken. Furthermore, it can be an operational headache and must be designed carefully. So it isn’t necessarily recommended for everyone.
That said, SSL pinning is certainly an important security enhancement – and if relevant, it’s one that must be implemented with care.