Certificate Pinning in Mobile Applications

OWASP Lithuania - Luca Bongiorni – 05/03/2015

Introduction to Pinning

Why is good to have it...

State of Art – Android / iOS / Win

Conclusion – Pros & Cons

2

3

Mobile applications frequently do not protect network traffic.

They may use SSL/TLS during authentication but not elsewhere.

This inconsistency leads to the risk of exposing data and session IDs to

interception.

Business Impact Loss of Confidentiality and Integrity

Company’s reputation at risk

Incident response costs $$$

Possible legal issues (e.g. violation of ISO/PCI requirements)

Mitigation Use End-to-End encryption between browser and web server (HTTPS)

► SSL/TLS ► Certificate Pinning !

4

Pinning is the process of associating a host with their expected

*{X509 certificate || public key}. Once a certificate or public key is

known or seen for a host, the certificate or public key is associated or

'pinned' to the host. <…>

• The pre-existing relationship between the user and an

organization helps make better security related decisions.

• No longer needs to depend on others (e.g. CAs) when making

security decisions relating to a peer's identity!

5

The certificate is easiest to pin.

When the certificate expires, you would update your

application.

Public key pinning is more flexible but a little trickier due to the extra

steps necessary to extract the public key from a certificate. o As with a certificate, the program checks the extracted public key with its

embedded copy of the public key.

o It is harder to work with keys (Vs. certificates) since you usually must

extract the key from the certificate. Extraction is a minor inconvenience in

Java, buts its uncomfortable in Cocoa and OpenSSL.

o The key is static and may violate key rotation policies.





6

7

“An IMSI-Catcher (International Mobile Subscriber Identity) is

a telephony eavesdropping device used for intercepting

mobile phone traffic and tracking movement of subscribers.

Essentially a "fake" mobile tower acting between the target

mobile phone and the MNO's real BTSes, it is considered a

Man-In-The-Middle (MITM) attack.”

Fake WiFi AP + jam real AP? ARP Poisoning?… Old known

boring threats.

8

9





10

11

Pinning is accomplished through a custom X509TrustManager API. Google

Chrome PubKey pinning style. Customized version of TrustManager from Moxie Marlinspike available at:

https://github.com/moxie0/AndroidPinning

public PinningTrustManager(SystemKeyStore keyStore, String[] pins, long

enforceUntilTimestampMillis) {

this.systemTrustManagers = initializeSystemTrustManagers(keyStore);

this.systemKeyStore = keyStore;

this.enforceUntilTimestampMillis = enforceUntilTimestampMillis;

for (String pin : pins) {

this.pins.add(hexStringToByteArray(pin));

}

}

Constructs a PinningTrustManager with a set of valid pins.

@param keyStore A SystemKeyStore that validation will be based on.

@param pins An array of encoded pins to match a seen certificate chain against. A pin is a hex-

encoded hash of a X.509 certificate's SubjectPublicKeyInfo. A pin can be generated using the

provided ./tools/pin.py certificate_file.pem

@param enforceUntilTimestampMillis A timestamp (in milliseconds) when pins will stop being

enforced. Normal non-pinned certificate validation will continue. Set this to some period after your

build date, or to 0 to enforce pins forever.

12

The method used to Ping Certificates is :connection:willSendRequestForAuthenticationChallenge:

inside the NSURLConnectionDelegate protocol.

This method gets called when an SSL connection is made, giving the developer, a

chance to inspect the authentication challenge and either proceed or fail.

The code below shows how you can check the certificate sent by the server, with

a known certificate embedded in your applications.

After doing await and socket.UpgradeToSslAsync(), check

socket.Information.ServerCertificate for the cert that was provided by the server.

You can verify that it's the cert you were expecting before you send any data. 13

The majority of Windows Phone 8 applications on the Marketplace lack certificate

pinning due to the difficulty of implementing this security measure on the

platform. Possible solutions:

• For Win 8.0: Use an open source third party library for SSL such as OpenSSL

or Bouncy Castle crypto Libs and attempt to build for Windows Phone. Cons: It

may require significant effort to implement correctly.

• For Win 8.0: Use a commercial library supporting SSL pinning:

SecureBlackBox (https://www.eldos.com/sbb/). Cons: $$$

• >= Win 8.1: Thanks to the use of StreamSocket we can read the contents of the

certificate via StreamSocket.Information.ServerCertificate property.

StreamSocket s = new StreamSocket();

await s.ConnectAsync(new HostName(SrvURL), "443");

s.UpgradeToSslAsync(SocketProtectionLevel.Ssl, new HostName(SrvURL));

var certificate = s.Information.ServerCertificate;





14

PROS

15

Better Security: Drastically reduce the ability to conduct successful MITM

attacks.

Not Hard to Implement: Not as difficult as it seems to implement a basic

certificate pinning.

Cost Saving: By using a self-signed certificate is possible reduce the costs,

instead of paying for a certificate.

• Possible problems in case of Certificate or PubKey revocation.

• Egress filtering in a corporate environment (i.e. Interception Proxy)

• The certificate embedded in your app will eventually expire.

Your have to either plan for an app update that contains an updated

certificate, or code a way for the application to download the new

certificate, which is hardly achievable in practice.

CONS

16

• https://www.owasp.org/index.php/Mobile_Top_10_2014-M3

• https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

• https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21

• https://www.owasp.org/index.php/Pinning_Cheat_Sheet

• http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/

• http://developer.android.com/reference/android/net/http/X509TrustManagerExte

nsions.html

• https://www.isecpartners.com/blog/2013/february/ssl-pinning-on-ios.aspx

• www.doubleencore.com/2013/03/ssl-pinning-for-increased-app-security/

• http://blog.soat.fr/2014/11/wp8-problematique-du-certificate-pinning/

• http://www.slideshare.net/iazza/dcm-final-23052013fullycensored

• http://chargen.matasano.com/chargen/2015/1/6/bypassing-openssl-certificate-

pinning-in-ios-apps.html

17

Technology

Certificate Pinning in Mobile Applications