Certificate Pinning is a security technique that involves binding a cryptographic certificate to a specific host or domain. This ensures that the app and server communications are protected from man-in-the-middle attacks. Developers can use Certificate Pinning to safeguard against malicious certificates and ensure that only certificates issued by a trusted Certificate Authority (CA) are accepted. When used correctly, Certificate Pinning can be an effective security measure.
Certificate pinning for mobile apps is typically done using one of two methods:
- Static Certificate Pinning: Static certificate pinning is the process of hard-coding pins into the app. In this approach, if the server's certificate ever changes, the app will no longer be able to connect to the server. However, static certificate pinning can be problematic and also introduce new risks. For example, if the certificate may expire or be revoked because it has become compromised, causing the app to lose its connection to the server. This can lead to downtime and lost revenue, as happened with Barclays Bank UK in 2016. More details on static certificate pinning are available here.
- Dynamic Certificate Pinning: This is the better approach. It allows developers to pin certificates without using static pins. Dynamic certificate pinning overcomes the problems of static pinning by enabling the app to fetch trusted cerificates (pins) from a remote server. This means that the certificates used to pin API connections can be quickly updated as needed so that the app always has a valid certificate. In this way, certificates can be updated instantly and do not require a change to your mobile app, resulting in the removal of service downtime due to certificate issues. More details on dynamic certificate pinning are available here.
Unfortunately, implementing certificate pinning for mobile apps has been complex and this has caused many companies to avoid adopting it. This is a very risky position to take. For a full discussion of your options alongside the underlying pros and cons of certificate pinning implementation, monitoring and management, please check out our Man-in-the-Middle (MitM) whitepaper.
There is also a webinar where some of our Approov experts discuss the issues around preventing MitM attacks through judicious use of certificate pinning. A recording of the webinar is available here. If you would like to speak to one of our experts on this topic, please use this form to contact us.