We're Hiring!

Dynamic Certificate Pinning for Secure Mobile Communication

Safety pins; close up-2

This is the final article in a guest blog series from Intellyx. Find the full series here.

A “man in the middle” (MitM) attack is one of the most serious types of attacks on the Internet. An MitM attack has the capability to divert or copy an entire flow of messages and steal login credentials, bank account numbers, credit card numbers, social security numbers, and generate denial of service attacks.

It’s the main reason HTTPS is so widely used to securely encrypt HTTP traffic and help prevent such an attack. 

The legacy of unsecure Internet traffic is why many people (such as my mother for example) still don’t trust websites and mobile apps to keep their credit card and banking transactions safe. 

Encrypting traffic using Transport Layer Security (TLS), as HTTPS does, prevents many MitM attacks, but of course cybercriminals are always upping their game and finding new ways to launch profitable MitM attacks. 

Limitations of Encryption to Defeat MitM Attacks 

TLS is the most popular encryption solution, standardized by the Internet Engineering Task Force (IETF).

TLS first of all exchanges certificates between a client and server to set up a trusted connection and agree on specific encryption ciphers. 

The client then uses a public key to encrypt the message before sending it to the server. The server uses a private key to decrypt the message. This solution works well to guard against basic MitM attacks because attackers can’t easily decipher the encrypted messages. 

But attackers have found ways to spoof certificates and steal keys. Furthermore, while HTTPS ensures that your data is encrypted, it can’t validate that the communicating parties are actually both the client and server sides of your app. 

As they say, however, when attackers find a new way to break in, a new solution is developed to prevent it. It’s an arms race, but for every new threat there’s a new protection following close behind.  

Handling Mobile App Vulnerability to MitM

Mobile apps on Android and iOS primarily use HTTP just as websites do. And are therefore vulnerable to the same types of MitM attacks. And use HTTPS to help prevent them. 

But mobile apps differ from web apps in some key ways. The operating system environments are different, the way apps are distributed is different, and the programming language code is often different.

Therefore the environment in which mobile apps run benefits from additional protection against MitM attacks specific to mobile environments. 

One such additional protection is certificate pinning for the public keys that encrypt the messages. The pinned certificate is loaded into the mobile application so the app can confirm that the server it communicates with is the correct one before sending data to it. 

Certificate pinning also has a vulnerability, however, which is that certificates expire and older mobile apps, or mobile apps that are not kept up to date, may not work because they use expired certificates that the server won’t recognize.

Dynamic Cert Pinning Solution 

Dynamic certificate pinning solves the problem of certificates expiring, and also increases the protection level of the encryption since it makes it harder for an attacker to steal a key that might enable an MitM attack. 

Dynamic certificate pinning updates allow the app to handle certificate changes without requiring a code update, and ensures a mobile app always connects to a trusted server whose certificate matches an up to date set of certificate codes.

Certificate pinning is easier to implement for mobile apps than for web apps because there is a secure channel through the app store for releasing the app code, including the certificate pinning configuration, making it a better solution for mobile apps. 

Certificate pinning allows mobile applications to restrict communication only to servers with a valid certificate matching the expected pin value. The connection is terminated immediately if communication is attempted with any server that doesn’t match the expected value. 

The pin is not usually a copy of the entire certificate, but typically a hash of the certificate, or some key identifying attributes of the certificate. The mobile app ships with the pin and will only connect if it sees the expected certificate. 

Updating the pin information for dynamic pinning can be challenging, however. You have to get the pin information for every single pin that you want to include for every app domain the app talks to and dynamically load it into the app. 

On top of that you have to handle the process of generating the exact format for the XML file that contains the pins for loading into the apps. 

So even though there is now some solid platform support for dynamic pinning, the configuration part is tricky, especially if you’re not familiar with certificate management. 

That’s why the mobile security vendor, Approov, has made available to the community a tool to take the hard work out of generating and maintaining dynamic cert pinning information.  

The Intellyx Take

Distributed applications are vulnerable to MitM attacks, especially those using the public Internet, which is basically every mobile application.

MitM attacks have been successfully used to steal login credentials, bank account numbers, social security numbers, and to take over servers with denial of service attacks. You really don’t want to deploy a mobile app that is vulnerable to MitM attacks. 

Encrypting network traffic provides a basic protection against MitM attacks. But encryption techniques are not foolproof. The artifacts of encryption are vulnerable to theft – including encryption keys and the certificates used to establish trusted connections. 

Dynamic certificate pinning addresses these additional challenges by storing and updating information in the mobile app that allows the app to know when it’s communicating with a fake endpoint. 

If you want to get started with static certificate pinning, though, the free Pinning Generator Tool from Approov makes it simple to generate and maintain pinning configurations to improve protection for your mobile apps. However, static certificate pinning is more challenging to set up and maintain, than dynamic.

 

Copyright © Intellyx B.V. Intellyx is editorially responsible for this document. No AI bots were used to write this content. At the time of writing, Approov is an Intellyx client.

 

Eric Newcomer

Eric Newcomer is Principal Analyst and CTO at Intellyx, a technology analysis firm focused on enterprise digital transformation.

He previously served as CTO at WSO2 and at IONA, led Security Architecture for Citi’s consumer banking and was Chief Architect for Citi and Credit Suisse’s trade and investment divisions.

Eric is an internationally recognized expert in transaction processing, integration and cloud migration, having contributed to many industry standards including OSGi, Eclipse, SOAP, WSDL, UDDI, AMQP and more. His textbooks, including Principles of Transaction Processing, Understanding Web Services, and Understanding SOA with Web Services are used at universities around the world.