Saturday, 2 February 2013

Mobile Client Side Certificate Pinning

I just completed giving a training on Secure Mobile application development and Code reviews and one of the attendees asked me query whether we can limit a Mobile application to allow only the servers certificate to be a trusted one rather than relying on the Mobile's own Trusted Certificate Store?

Well... there is a way actually. Its called as "Certificate Pinning". Rather than relying on the device trusted store, set the application to trust only the servers SSL certificate. This way, when you are connecting to your specific SSL server, you don’t need anyone else to tell you the server’s identity. Compromises of any of the CA in the device trusted store too does not matter as the connection does not rely on it any more. 

There are ways to implement it on both Android and iOS. Twitter for example; implements certificate pinning and i was not able to intercept traffic even after forcing my certificate on to the OS level trusted certificate list.

Good Reads:

Certificate Pinning on iOS:

Certificate Pinning in Android:

Way to achieve this can be seen here, which is a OWASP page explaining the various details on Certificate Pinning.

However, like all other good things, this too can be bypassed :D .. This link will tell you how you can bypass it on iOS using Mobile Substrate and on Android using JDWP.

Understandably this would not be of much use against remote attacks but atleast would help in cases where attacker tries to fuzz for local vulnebilities in the application right? 

I wonder why none of the other applications are not using it and whether there would be any drawback of suggesting it to the client. 
Open for discussion :)