MONETA Money Bank Hardens the Mobile App Communication with Dynamic Certificate Pinning

MONETA Money Bank has made yet another step to make their clients more secure on mobile. The leader in digital banking is the first organization who decided to implement our Dynamic Certificate Pinning to harden the communication of the mobile banking app with the server.

About Secure Communication

One of the main areas that need to be covered when designing the mobile banking app is the subject of secure communication. The mobile banking app communicates with the bank’s back-end systems to obtain information about accounts and transactions and to initiate payments. If the communication channel is secured insufficiently, attackers can get access to sensitive information, or even take full control over the account, just by sniffing the network traffic.

Now, the communication over the HTTPS is a standard these days. However, an attacker still can gain control over the communication channel by installing own certificate authority (CA) on the mobile device.

A traditional way to mitigate this problem is to implement certificate pinning or public key pinning. By explicitly checking the certificate parameters, the mobile app can detect and prevent the man-in-the-middle (MITM) attack. However, another issue arises:

What to do when the current certificate expires?

This issue can be solved naively by updating the certificate in advance and then cutting the users who do not update to the new version of the app. However, this requires an organizational discipline (organization needs to keep the certificate update in mind and schedule it soon enough before the certificate expires) and creates an inconvenience to the users who did not update their apps before the certificate expiration.

But what if the mobile banking app could magically update the information about its TLS/SSL certificates, securely, on the fly, and without the need of an app update? Well, now it can!

Our “Dynamic SSL Pinning” is a feature that manages the TLS/SSL certificate updates in the mobile app. It consists of the tool to generate the dynamic definition of fingerprints, SDK for iOS and SDK for Android.

Of course, all these components are released as open-source software on Github, to provide the maximum transparency, and to drive adoption of better mobile app security even faster.