Image for post
Image for post

MONETA Money Bank Hardens the Mobile App Communication with Dynamic Certificate Pinning

Petr Dvořák
Nov 12, 2018 · 2 min read

MONETA Money Bank has made yet another step to make their clients more secure on mobile. The leader in digital banking is the first organization who decided to implement our Dynamic Certificate Pinning to harden the communication of the mobile banking app with the server.

One of the main areas that need to be covered when designing the mobile banking app is the subject of secure communication. The mobile banking app communicates with the bank’s back-end systems to obtain information about accounts and transactions and to initiate payments. If the communication channel is secured insufficiently, attackers can get access to sensitive information, or even take full control over the account, just by sniffing the network traffic.

Now, the communication over the HTTPS is a standard these days. However, an attacker still can gain control over the communication channel by installing own certificate authority (CA) on the mobile device.

A traditional way to mitigate this problem is to implement certificate pinning or public key pinning. By explicitly checking the certificate parameters, the mobile app can detect and prevent the man-in-the-middle (MITM) attack. However, another issue arises:

What to do when the current certificate expires?

This issue can be solved naively by updating the certificate in advance and then cutting the users who do not update to the new version of the app. However, this requires an organizational discipline (organization needs to keep the certificate update in mind and schedule it soon enough before the certificate expires) and creates an inconvenience to the users who did not update their apps before the certificate expiration.

But what if the mobile banking app could magically update the information about its TLS/SSL certificates, securely, on the fly, and without the need of an app update? Well, now it can!

Our “Dynamic SSL Pinning” is a feature that manages the TLS/SSL certificate updates in the mobile app. It consists of the tool to generate the dynamic definition of fingerprints, SDK for iOS and SDK for Android.

Of course, all these components are released as open-source software on Github, to provide the maximum transparency, and to drive adoption of better mobile app security even faster.

Wultra Blog

Blog posts by Wultra company

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store