TLS (Transport Layer Security), also known as SSL (Secure Sockets Layer), is a big part of internet security and data privacy. The ‘lock’ mark that you (hopefully) see in the address bar of your browser, is what keeps the data between your pc and the website server secure. In other words, it makes sure that no one intercepts or alters the information being transmitted between two entities.
This is done by TLS handshake, a process between both the parties – client and server – validate each other and start communicating through the secure SSL/TLS tunnel. This verification process is made possible by TLS (now SSL) certificates installed on servers. These certificates are issued by trusted certificate authorities and once the device recognizes its legitimacy, the communication between the client and the server is started.
Needless to say, this process is much more complicated and involves a series of steps. However, we won’t get into it – at least for now.
In mobile apps, an app developer specifies a list of trusted certificates that are used to verify the identity of the server. Android and iOS apps carry a default list of trusted root certificate authorities installed by the manufacturer of the device. Only the certificates issued by these authorities are trusted for communication.
TLS Pinning, however, takes a step further from this security mechanism. Here, an app developer specifies certain certificates and the data transfer is allowed only if these certificates are found to be on the server. If not found, the data connection is halted from being established.
Why TLS Pinning?
The default security provisions of reputed mobile apps work well in most of the case but there’s a scope for the hackers and fraudsters to mark their footsteps into it and execute a Man-in-the-middle (MiTM) attack. One of the main ways this is done is by means of installing a malicious root certificate through phishing. Once this rogue root certificate is issued, the interception of the data becomes an easy job for a hacker.
TLS Pinning eliminates this possibility as it only allows certain certificates to be trusted. This becomes highly imperative when dealing with sensitive information such as financial data, healthcare records, personal information, etc.
How to Implement TLS Pinning in Android
Certificate pinning is executed by providing a set of certificates by hash of the public key (SubjectPublicKeyInfo of the X.509 certificate). A certificate chain is then valid only if the certificate chain contains at least one of the pinned public keys.
Note that, when using certificate pinning, you must always include a backup key so that if you are forced to switch to new keys or change CAs (when pinning to a CA certificate or an intermediate of that CA), your app’s connectivity is unaffected. Otherwise, you must push out an update to the app to restore connectivity.
How to Implement TLS Pinning on iOS
The most convenient way of implementing TLS Pinning in iOS is through NSURLSession. You can handle SSL pinning by URLSession:didReceiveChallenge:completionHandler:delegate.
How to Test Mobile App TLS Pinning
Once you’ve pinned your certificate to your mobile app, you must test it to make sure that it’s working the way it’s intended. And do you know what the best way to test is? Yes, you guessed it right, it’s to become an attacker yourself. In other words, you become the ‘man in the middle.’ If you’ve pinned your mobile app appropriately, there’s no way the ‘man in the middle’ (technically you) will find the way through.
To test your app, you first need to intercept the communication happening through your mobile app network. The easiest way to do is to use a network proxy tool. To intercept the data transmission, you must install the proxy tool as a trusted root CA on the mobile device that will run the app. Once installed, this proxy tool will work as a ‘man in the middle’ and will intercept the information.
Now, if the proxy tool is successful in intercepting the information, it means that TLS Pinning hasn’t been implemented properly. And if it doesn’t, you’re good to go!
How to Make Sure that TLS Pinning is Working
Testing in mobile app TLS is something that developers should be doing on a continuous basis and doing it manually is of course not a sound solution. The solution here is to integrate application security testing (DAST) directly into the DevOps pipeline to security test every build, every day.
Final Thoughts
In today’s security world when hackers and fraudsters are always on the prowl, the developers must stay a step ahead of them. Certificate Pinning could be an important tool in the armory of mobile app developers wanting to protect the app data & privacy by thwarting any attempts of ‘Man-in-the-Middle (MiTM) attacks.
