One of the key, if sometimes overlooked, features of Approov is its integrated support for dynamic certificate pinning. In this blog we explain how it works and its numerous advantages.
What is the Benefit of Pinning?
Certificate pinning ensures that your app only connects with a backend API via TLS if the presented certificate chain includes at least one certificate public key that is known to be trusted. This is, of course, in addition to all of the usual trust checks performed.
This means that the app is not simply reliant on the contents of the trust store on the end device, but also requires an additional level of verification. This protects the app from compromises against certificate authorities, and also makes reverse engineering of an app’s API traffic using a proxy tool considerably more difficult. Indeed, with the addition of the other Approov security features the API channel is heavily secured.
Pinning implementations typically fix the required pins in the app code itself. Although this provides the advantage that the app is no longer only dependent on the trust store of the device itself, it also has the distinct disadvantage that updates to the pins require a new app version to be issued. The problem comes if there is a lack of coordination between the frontend and backend teams, or indeed if there is a need to change a compromised certificate in a hurry.
You may then end up in a situation where the pins don’t match and your app no longer works until a new update can be pushed out. This can take time, and in any case you cannot guarantee that every user will immediately and automatically receive the update.
For instance, here is a salutary lesson from the Barclays Bank mobile app about what can go awry with certificate pinning if there are no backups in place and there is an unexpected pinning change.
This is of course why it is recommended that a backup pin be included as an insurance against such eventualities. But for ultimate peace of mind for both security and uptime you really require a solution that secures with certificate pinning, but in a way that can be dynamically updated over-the-air.
All of our Approov Frontend Quickstarts automatically include dynamic certificate pinning as part of their implementation. So if you integrate Approov then you can be sure that the channels will be pinned without any additional coding requirements.
The pin information is supplied automatically as part of the configuration held by the app. This is transmitted from the Approov servers. If the pinning information is changed then the next time the app connects to the server it will receive the update. It is persisted in the app so it is available immediately the next time the app is launched, even before it fetches any information from the Approov servers.
You might, reasonably, ask how we protect the pin information itself from being manipulated when it is passed from the Approov servers to the app. This channel is itself pinned, but there is a capability to send configuration information through an unpinned channel in case we need to change the pins on our own servers. This configuration can’t be manipulated by any Man-in-the-Middle (MitM) because the configuration data is itself signed with a private key specific to each Approov account. It is verified by a fixed public key held in the app.This provides a secure transfer of new configurations, including pins, that are then made available in the app to pin other connections that the app needs to make.
When an API domain is added using Approov, the leaf certificate for the domain is analyzed and a pin extracted. These operations are performed automatically when using the Approov command line tool.
A wide range of different commands are provided to manage the pins associated with the domains. Indeed, it is possible to extract pins from certificate files as well as from live endpoints. There are also options to remove pinning entirely for particular domains, or even to apply pinning on domains that don’t require protection with Approov tokens.
The key advantage is that all these operations can be carried out on the account, and then updates are immediately distributed to the installed base of apps. There is no need to ever release a new version of the app simply to update pins. Pin updates are distributed immediately the next time an Approov token needs to be fetched, a maximum of 5 minutes if an app instance already holds a valid Approov token.
As we point out in our blog “How to Bypass Certificate Pinning with Frida on an Android App”, it is possible to bypass pinning if an attacker controls the end device. If the device is rooted or jailbroken then it is possible to install an instrumentation framework such a Frida that can hook functions associated with the implementation of pinning and subvert them.
Approov will detect the presence of such a framework and the hooking operation. This will cause the app to fail its integrity checks and it will be issued with an invalid Approov token. When this is presented to a backend API protected with Approov, the typical security posture will be to deny access. With all backend API requests denied it will be impossible for the app to operate normally, or for an attacker to reverse engineer the API protocol.
With all this protection in place you might wonder how a pentester can get around this protection to do a security assessment of the app. This has indeed been a problem in the past, and we have even added a special PenTest access role to allow pinning to be disabled on a specific device to allow analysis to proceed. This doesn’t rely on any sort of backdoor in the app itself, but upon server controlled configuration, to push out a modified set of pins to that particular device.
Another feature of Approov is continuous monitoring of the certificate pins on the API domains that you are protecting. When you add a new API it is automatically added to API monitoring.
This means that every 15 minutes our servers probe the API endpoints and compare the certificates presented against the pins you have set in your account. If there is a mismatch that would cause your apps to fail with pinning errors, then an email is sent automatically to an account that you can set. This can of course then be automatically forwarded to a DevOps monitoring and alerting system.
Thus you’ll be made aware of a potential issue before you start receiving complaints from your end users. Since pins can be updated automatically you can then easily push out an update to your user base.
We’ve found that our customers really like our dynamic certificate pinning solution in addition, of course, to the numerous other Approov security features. We’ve been told, on more than one occasion, that in the past the DevOps team have vetoed plans to implement static pinning, but with the flexibility of dynamic certificate pinning updates they are now happy to endorse this additional security feature. For instance, here is an interesting blog independently written by a team evaluating an earlier version of Approov. All the pinning is now managed by our quickstart integrations, so the set up is now even easier!