The rise of enterprise mobility in the past decade has brought comfort and easiness to people’s lives but along with it has evolved a risk and threat of security. But How? Before, people didn’t use to transfer money through mobile devices, or take doctor appointments for an online session through their phones, but now, they do.
These are times when we want our mobile apps to be secured and invulnerable to any attack. Banking apps are one the of the first examples, where highly secured communication is needed in order to keep data confidentiality and integrity intact.
Man in the Middle, abbreviated as (MITM), is where the attacker tries to intercept the communication between Client and Server. It gives the attacker full control of the sensitive data which is being passed and to manipulate it in anyway they want. In this attack the sender and receiver are unaware that they are being monitored or their session is being intercepted by a third person. This attack is also referred as session high-jacking.
To avoid eavesdropping caused by any MITM attack, there are things we can do to ensure transmission of sensitive data is being done securely between the Client and Server-end. There certainly are different ways we can make that happen, but the one we’re going to discuss here today is SSL (Secure Socket Layer) Pinning, which is the most commonly used.
SSL Pinning is to make sure that the connection, a client is making to a server is the one it is supposed to trust and connect with by using a known copy of the server’s public certificate. In a mobile application the client side knows that which server it’s going to connect to, so every time a request is made by client; server’s certificate is validated with the copy present on the device. In any case if the client fails to validates the certificate, it rejects and throws a failure. This certificate validate technique is called Certificate Pinning. There is an alternate you can do which is known as Public Key Pinning, where the Public key is extracted from the server’s & the local copy of the certificate which is in X509 format (X509 is a standard which defines the format of a Public key certificate).
If you’re using AFNetworking or Alamofire, doing SSL pinning is quite simple. It has its own Security Policy class, which only needs the type of pinning you want to do i.e. Certificate or Public Key. With URLSession’s dataTask things are little bit tricky and lengthy to write. You can also check out TrustKit.
A sample showing Certificate Pinning can be found here.
Like iOS, TrustKit is also available for Android to make things easy and swift for you. It can be used with OkHttp for pinning. If you’re not using that, OkHttp is much self sufficient and provides a Certificate Pinner class which takes in the certificate’s SHA, and then passes it to the OkHttpClient object, which is then further passed to the request.
A sample project can be found here.
Along with greater security comes greater pain in the neck. The certificate/public keys bundled in your app will eventually expire. You might have to plan an app update every time before the expiry comes, or might have to write a way to download the certificate inside app. For Public Key pinning you’ll have to make sure that the Public Key of the certificate on the server remains the same.
To check whether your app is secured or not, It can be tested by tools made by different companies, a few known names are Charles Proxy, Burp Suite, WireShark and so on. I have created a detailed document on how to set up Charles on your machine and device, Click here to download.
Nevertheless, despite being one of the most commonly used solution for security, SSL Pinning is yet not foolproof. In order to stay safe from such attacks, it’s best not to use public wifis or accept certificate prompts on your phone which are untrusted or seem fishy to you.
If you have any questions or queries or want to share your experience regarding this topic, please feel free to post it on the comment section below.
Good Day! 🙂
This article covers some important things you must know when you are considering a move…
What is Unit Testing? In its simplest term, unit testing is testing a small piece…
In this article, you will learn about a type of Creational Design Pattern which is…
In this tutorial, you will go through the use of targets to achieve two separate…
In this article, you will learn about a type of Structural Design Pattern which is…
In this article you will learn about a type of Creational Design Pattern which is…
View Comments
Well done!! you summarized it well, keep your experience coming it will help other developers to make their applications secure. certificate pinning and public pining is an easy way to go against Man in the Middle attack.
Great work Sir Aaib (Y) I am following your tutorials since last year. You are such a great developer, your blogs helped me a lot in my development ground. I am implementing SSL Pinning and waiting for more from your side :)
great article
Great article