The rise of enterprise mobility in the past decade has brought comfort and easiness to people’s lives but along with it has evolved a risk and threat of security. But How? Before, people didn’t use to transfer money through mobile devices, or take doctor appointments for an online session through their phones, but now, they do.
These are times when we want our mobile apps to be secured and invulnerable to any attack. Banking apps are one the of the first examples, where highly secured communication is needed in order to keep data confidentiality and integrity intact.
What is an MITM attack?
Man in the Middle, abbreviated as (MITM), is where the attacker tries to intercept the communication between Client and Server. It gives the attacker full control of the sensitive data which is being passed and to manipulate it in anyway they want. In this attack the sender and receiver are unaware that they are being monitored or their session is being intercepted by a third person. This attack is also referred as session high-jacking.
Preventing a MITM attack
To avoid eavesdropping caused by any MITM attack, there are things we can do to ensure transmission of sensitive data is being done securely between the Client and Server-end. There certainly are different ways we can make that happen, but the one we’re going to discuss here today is SSL (Secure Socket Layer) Pinning, which is the most commonly used.
So really what the heck is this SSL Pinning?
SSL Pinning is to make sure that the connection, a client is making to a server is the one it is supposed to trust and connect with by using a known copy of the server’s public certificate. In a mobile application the client side knows that which server it’s going to connect to, so every time a request is made by client; server’s certificate is validated with the copy present on the device. In any case if the client fails to validates the certificate, it rejects and throws a failure. This certificate validate technique is called Certificate Pinning. There is an alternate you can do which is known as Public Key Pinning, where the Public key is extracted from the server’s & the local copy of the certificate which is in X509 format (X509 is a standard which defines the format of a Public key certificate).
Implementing SSL Pinning in iOS
If you’re using AFNetworking or Alamofire, doing SSL pinning is quite simple. It has its own Security Policy class, which only needs the type of pinning you want to do i.e. Certificate or Public Key. With URLSession’s dataTask things are little bit tricky and lengthy to write. You can also check out TrustKit.
A sample showing Certificate Pinning can be found here.
Implementing SSL Pinning in Android
Like iOS, TrustKit is also available for Android to make things easy and swift for you. It can be used with OkHttp for pinning. If you’re not using that, OkHttp is much self sufficient and provides a Certificate Pinner class which takes in the certificate’s SHA, and then passes it to the OkHttpClient object, which is then further passed to the request.
A sample project can be found here.
Downside of SSL Pinning
Along with greater security comes greater pain in the neck. The certificate/public keys bundled in your app will eventually expire. You might have to plan an app update every time before the expiry comes, or might have to write a way to download the certificate inside app. For Public Key pinning you’ll have to make sure that the Public Key of the certificate on the server remains the same.
Mocking a MITM attack for testing
To check whether your app is secured or not, It can be tested by tools made by different companies, a few known names are Charles Proxy, Burp Suite, WireShark and so on. I have created a detailed document on how to set up Charles on your machine and device, Click here to download.
Nevertheless, despite being one of the most commonly used solution for security, SSL Pinning is yet not foolproof. In order to stay safe from such attacks, it’s best not to use public wifis or accept certificate prompts on your phone which are untrusted or seem fishy to you.
If you have any questions or queries or want to share your experience regarding this topic, please feel free to post it on the comment section below.
Good Day! 🙂
Few Reading Resources:
- https://blog.netspi.com/certificate-pinning-in-a-mobile-application/
- https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/
- https://www.digicert.com/blog/benefits-of-public-key-pinning/
- https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
- https://medium.com/@develodroid/android-ssl-pinning-using-okhttp-ca1239065616
4 Comments