Reduce Risk with Certificate Pinning
When deploying a secure mobile application one of the first thing you do is that you make sure that all communication is going over a secure channel such as HTTPS, however even though you are using a valid certificate and HTTPS, your application may still be vulnerable to several attacks.
One of the main threats is a man-in-the-middle (MitM) attack, which is a well-known technique that attackers utilize in order to setup a proxy with fake Certificate Authorities (CAs) to intercept traffic to and from your application to identify vulnerabilities.
Ideally you want to make it as hard as possible for attackers to find vulnerabilities within your application and one of the things you can do to reduce the risk is using a Certificate Pinning, this applies especially to applications that deal with sensitive information.
So what is Certificate Pinning?
To explain Certificate Pinning in the simplest way, it is a method of associating (pinning) a host with a certificate or a public key.
For example when you connect to an application that is using a certificate, the first thing the client does is check if the certificate has a trusted root certificate (chain of trust) and that the certificate matches the hostname and is not expired.
But what it does not do is to check if the certificate presented to your application is the one you bought and installed. Using Certificate Pinning would therefore not allow attackers to use fake CAs to intercept traffic that is going to and from your application.
How do you implement Certificate Pinning?
It all depends on what technology you are using for your mobile application, I would highly recommend to take a look at the "OWASP Certificate Pinning WebSite " as they do have recommendation examples for technologies such as Android Java, iOS, .Net and OpenSSL.
Are there any known problems with Certificate Pinning?
Yes the major downfall is that once the certificate expires or for some reason you have to replace your certificate you have to release a new application and have all users download the new application.
Also by using Certificate Pinning you are not going to become completely secure against MitM attacks as the attacker will most likely always find a way to bypass any security mechanism that is put in front of him such as Certificate Pinning, for example in iOS it is possible to patch certain SSL functions within the Secure Transport API to bypass Certificate Pinning.
As we have seen in recent years security is always going to be a cat and mouse game and it is prudent to insure all possible security measures are in place in order to keep attackers at bay. Certificate Pinning is only one of several countermeasures you can employ to make sure we are at least making it as hard as possible for attackers to attack our infrastructure.