Mobile SSL Pinning - Implementation and Security

SSL Pinning (or Certificate Pinning) is a security technique that associates a mobile application with a specific SSL certificate or its public key. This prevents man-in-the-middle attacks even if the attacker has a valid certificate issued by a trusted certificate authority.

Without pinning, an application trusts any certificate signed by a CA in the system trust store. With pinning, the application only trusts the certificate or public key you have specifically configured.

MoniTao helps you monitor your certificates and alerts you when they change, which is crucial if you use SSL Pinning because you'll need to update your applications during renewals.

What is SSL Pinning?

Understanding the concept of certificate pinning:

• Trust store vs Pinning: normally, an application trusts all system CAs. Pinning restricts this trust to a specific certificate or key.
• MITM protection: even if an attacker obtains a valid certificate (via CA compromise or social engineering), the application will reject it.
• Pin certificate vs Pin public key: you can pin the entire certificate or just the public key. Pinning the public key allows certificate renewal without changing the pin.
• Backup pins: always configure backup pins to avoid locking out your users in case of certificate renewal.

Types of SSL Pinning

Different pinning approaches:

• Certificate Pinning: pin the exact certificate. Simple but requires an app update with each certificate renewal.
• Public Key Pinning: pin only the public key. Allows certificate renewal as long as the key stays the same.
• Intermediate/Root Pinning: pin the intermediate or root certificate. More flexible but less secure since the CA can issue other certificates.
• SPKI Hash Pinning: pin the SHA-256 hash of the Subject Public Key Info. The most common and recommended method.

Implementing SSL Pinning

Steps to implement pinning:

1. Extract the pin: get the SPKI hash of your certificate or public key.
2. Configure the application: add the pin in your application (iOS: Info.plist, Android: network-security-config).
3. Add backup pins: include at least one backup pin to avoid lockouts during renewals.
4. Test rigorously: test that the application rejects unpinned certificates and accepts correct ones.

Implementation Examples

Code for different platforms:

# Extract SPKI hash from a certificate
openssl s_client -connect api.mysite.com:443 2>/dev/null | \
  openssl x509 -pubkey -noout | \
  openssl pkey -pubin -outform DER | \
  openssl dgst -sha256 -binary | base64

# Result: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

# Android (network_security_config.xml)
<network-security-config>
  <domain-config>
    <domain includeSubdomains="true">api.mysite.com</domain>
    <pin-set expiration="2025-01-01">
      <pin digest="SHA-256">AAAA...=</pin>
      <pin digest="SHA-256">BBBB...=</pin> <!-- backup -->
    </pin-set>
  </domain-config>
</network-security-config>

The SPKI hash is added to the application's network security configuration. Always include a backup pin.

Best Practices

Tips for successful SSL Pinning:

• Always have backup pins: without backup, a certificate renewal will lock out all your users until they update the app.
• Pin the public key, not the certificate: this allows certificate renewal without changing the pin, as long as you keep the same key.
• Plan renewals: coordinate certificate renewal with an application update to add the new pin.
• Monitor your certificates: use MoniTao to be alerted before expiration and have time to prepare the new pin.

Frequently Asked Questions

Secure Your Mobile Applications

SSL Pinning is an essential security layer for mobile applications handling sensitive data. Well implemented, it protects against even sophisticated MITM attacks.

With MoniTao, monitor your certificates and anticipate renewals to maintain a smooth user experience while keeping optimal security.

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing