Saturday 2 February 2013

Mobile Client Side Certificate Pinning


I just completed giving a training on Secure Mobile application development and Code reviews and one of the attendees asked me query whether we can limit a Mobile application to allow only the servers certificate to be a trusted one rather than relying on the Mobile's own Trusted Certificate Store?

Well... there is a way actually. Its called as "Certificate Pinning". Rather than relying on the device trusted store, set the application to trust only the servers SSL certificate. This way, when you are connecting to your specific SSL server, you don’t need anyone else to tell you the server’s identity. Compromises of any of the CA in the device trusted store too does not matter as the connection does not rely on it any more. 

There are ways to implement it on both Android and iOS. Twitter for example; implements certificate pinning and i was not able to intercept traffic even after forcing my certificate on to the OS level trusted certificate list.

Good Reads:

Certificate Pinning on iOS:

Certificate Pinning in Android:

Way to achieve this can be seen here, which is a OWASP page explaining the various details on Certificate Pinning.

However, like all other good things, this too can be bypassed :D .. This link will tell you how you can bypass it on iOS using Mobile Substrate and on Android using JDWP.

Understandably this would not be of much use against remote attacks but atleast would help in cases where attacker tries to fuzz for local vulnebilities in the application right? 

I wonder why none of the other applications are not using it and whether there would be any drawback of suggesting it to the client. 
Open for discussion :)

7 comments:

  1. Nice comment!!!!
    Android is very useful in present time.there are many mobiles are working in android ...
    Android Training Certificate

    ReplyDelete
  2. This is the selected site free games and play great. Same goes for your play.
    gum mayhem
    tank trouble 2
    learn to fly 2
    can your pet 2
    happy wheels game

    ReplyDelete
  3. Thank you for visiting our site. Sure you will feel is amazing. Since we have been very selective as many games and you can play online for free
    gun mayhem 3 | tank trouble 3
    learn to fly 3 | happywheels
    tank trouble

    ReplyDelete