Press "Enter" to skip to content

Securing your Mobile Apps through SSL Pinning

The rise of enterprise mobility in the past decade has brought comfort and easiness to people’s lives but along with it has evolved a risk and threat of security. But How? Before, people didn’t use to transfer money through mobile devices, or take doctor appointments for an online session through their phones, but now, they do.

These are times when we want our mobile apps to be secured and invulnerable to any attack. Banking apps are one the of the first examples, where highly secured communication is needed in order to keep data confidentiality and integrity intact.

What is an MITM attack?

Man in the Middle, abbreviated as (MITM), is where the attacker tries to intercept the communication between Client and Server. It gives the attacker full control of the sensitive data which is being passed and to manipulate it in anyway they want. In this attack the sender and receiver are unaware that they are being monitored or their session is being intercepted by a third person. This attack is also referred as session high-jacking.

Man in the middle attack
Art Courtesy by my friend and co-worker Abdul Subhan, give him some love at his facebook page Arteous.

Preventing a MITM attack

To avoid eavesdropping caused by any MITM attack, there are things we can do to ensure transmission of sensitive data is being done securely between the Client and Server-end. There certainly are different ways we can make that happen, but the one we’re going to discuss here today is SSL (Secure Socket Layer) Pinning, which is the most commonly used.

So really what the heck is this SSL Pinning?

SSL Pinning is to make sure that the connection, a client is making to a server is the one it is supposed to trust and connect with by using a known copy of the server’s public certificate. In a mobile application the client side knows that which server it’s going to connect to, so every time a request is made by client; server’s certificate is validated with the copy present on the device.  In any case if the client fails to validates the certificate, it rejects and throws a failure. This certificate validate technique is called Certificate Pinning. There is an alternate you can do which is known as Public Key Pinning, where the Public key is extracted from the server’s  & the local copy of the certificate which is in X509 format (X509 is a standard which defines the format of a Public key certificate).

Implementing SSL Pinning in iOS

If you’re using AFNetworking or Alamofire, doing SSL pinning is quite simple. It has its own Security Policy class, which only needs the type of pinning you want to do i.e. Certificate or Public Key. With URLSession’s dataTask things are little bit tricky and lengthy to write. You can also check out TrustKit.
A sample showing Certificate Pinning can be found here.

Implementing SSL Pinning in Android

Like iOS, TrustKit is also available for Android to make things easy and swift for you. It can be used with OkHttp for pinning. If you’re not using that, OkHttp is much self sufficient and provides a Certificate Pinner class which takes in the certificate’s SHA, and then passes it to the OkHttpClient object, which is then further passed to the request.
A sample project can be found here.

Downside of SSL Pinning

Along with greater security comes greater pain in the neck. The certificate/public keys bundled in your app will eventually expire. You might have to plan an app update every time before the expiry comes, or might have to write a way to download the certificate inside app. For Public Key pinning you’ll have to make sure that the Public Key of the certificate on the server remains the same.

Mocking a MITM attack for testing

To check whether your app is secured or not, It can be tested by tools made by different companies, a few known names are Charles Proxy, Burp Suite, WireShark and so on. I have created a detailed document on how to set up Charles on your machine and device, Click here to download.

Nevertheless, despite being one of the most commonly used solution for security, SSL Pinning is yet not foolproof. In order to stay safe from such attacks, it’s best not to use public wifis or accept certificate prompts on your phone which are untrusted or seem fishy to you.

If you have any questions or queries or want to share your experience regarding this topic, please feel free to post it on the comment section below.

Good Day! 🙂

Few Reading Resources:

  1. https://blog.netspi.com/certificate-pinning-in-a-mobile-application/
  2. https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/
  3. https://www.digicert.com/blog/benefits-of-public-key-pinning/
  4. https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
  5. https://medium.com/@develodroid/android-ssl-pinning-using-okhttp-ca1239065616

Author: Aaqib Hussain

Aaqib is an enthusiastic programmer with the love of Swift and anything that looks like Swift i.e Kotlin. He loves writing code in Swift, and exploring new technology and platforms. He likes to listen to old music. When he is not writing code, he’s probably spend his time watching movies, tv-shows or anime, or either doing some research for writing the next article. He started Kode Snippets in 2015.

2 Comments

  1. Asad Rasheed
    Asad Rasheed March 26, 2018

    Well done!! you summarized it well, keep your experience coming it will help other developers to make their applications secure. certificate pinning and public pining is an easy way to go against Man in the Middle attack.

  2. Farooq Rasheed
    Farooq Rasheed March 26, 2018

    Great work Sir Aaib (Y) I am following your tutorials since last year. You are such a great developer, your blogs helped me a lot in my development ground. I am implementing SSL Pinning and waiting for more from your side 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *