Implementation of SSL Pinning
In our last blog of Mobile HTTP SSL PINNING: Decoding the untold we got an understanding of what SSL pinning is? Now in this blog, we will talk about possible ways by which we can implement SSL pinning along with the pros and cons for each of the ways.
SSL pinning is all about storing the certificate-related information in the mobile app (APK or IPA file). There are 4 different ways by which you can pin certificate-related information
- The certificate itself as a file
- Hash of the certificate
- The public key of the certificate.
- Hash of the public key
A developer who is going to implement this is left with the above 4 choices. Hence it is necessary for a developer to understand which one is better and why? with reasoning. For a developer to conclude on this he needs to understand the main contents of the certificate?.
Let's see what are the main contents of the certificate are:
- Domain Name
- Certificate Validity Period
- Certificate Authority (CA) Details
- Public Key
- Public Key Algorithm
- Certificate Signature Algorithm
- SSL/TLS Version
- Thumbprint
- Thumbprint Algorithm
Usually, all companies have the policy to get the certificate renewed by the root CA after a specific time frame. This time frame changes from company to company and the maximum validity time is 825 days as per today's current standards. So with this change, the “Validity period” of the certificate changes. Thus certificate content will change which further implies that the hash changes. However public key change does not happen as frequently as the certificate is renewed. Hence it is a good idea to pin public keys in mobile applications. If we go a step further, a hash of the public key makes more sense. Since it needs less space and it is consistent.
There is one drawback with any of this pinning technique which applies to even public key pinning. That is, the application needs to be force updated when public key rotation happens. This itself is a problem. Now is there a way this issue can be overcome? The answer is yes and it is called Certificate Transparency.
Let's dig a little bit into Certificate Transparency and understand if it is better than SSL pinning.
Certificate Transparency serves the same purpose of SSL pinning but in a different way. In this method when an SSL certificate is issued to the mobile application, it verifies whether it is valid or not with the Log server which already has a copy of valid certificates issued by the trusted root authorities. Thus if a hacker is performing MITM, his root CA will not be present in the Log server and the user will be saved from a MITM attack.
For more information on Certificate Transparency refer to the link.
At first, it might seem that Certificate Transparency is better than SSL pinning, but it is equally important to understand the limitations/ drawbacks. Let’s consider a scenario where Log server is down. Here even valid calls happening to the application will fail because the validity of the certificate can not be reconfirmed. This is a major drawback of this method. Hence high availability application which can not allow downtime, they better go with SSL pinning where they have full control instead of depending on the Log server. Vice-versa, if high availability is not a concern then Certificate Transparency is better than SSL pinning.
Concluding we have learned which is the best way of pinning and pinning vs Certificate Transparency. In the upcoming blog’s we will talk about how SSL pinning can be implemented in Android and iPhone. Till then take care stay safe.
