In the previous article, we discussed how Certificate Pinning introduces an extra layer of protection while establishing an end-to-end SSL connection. We also came to know that Certificate Pinning is not a full proof solution. Now let’s dig a little deeper.
How is Certificate Pinning Beaten?
There are apps for android (i.e. android-SSL-bypass and Android-SSL-TrustKiller) and ios (i.e. SSL Kill Switch and TrustMe) available on open source repository websites that allow you to make a connection with the remote server using the app for which Certificate Pinning was enabled. This method would need two things, a) the device to be rooted/jailbroken and b) these apps to be updated very frequently which is not common. There is one more method which does not depend on these two parameters – reverse engineering. This approach would involve dissembling the app, modifying the method logic which deals with certificate check, reassembling, signing the app and finally using it on real devices or emulators. A reverse engineered app would work like a simple browser which does not check the certificate and visits only one website – the targeted remote server.
Reverse engineering, in this context, works best as the apps that allow beating pinning do not go through the aggressive development cycle. For example, Android-SSL-TrustKiller does not work on Android Marshmallow and later. There is only initial build available on Github.
Other Problems with Certificate Pinning
Penetration testers usually find it difficult to test Certificate Pinned apps compare to other apps as there is an over-burden of reverse engineering the app.
The secured app must have a release when a certificate at the server side is changed/removed, gets expired, or another server is added which would lead the development team to add another certificate to the app. Clearly, development cost will go high.
There could be a practical situation when a user failed to update the latest version of the app and the certificate at the server has been expired. In such case, the server will self-impose the denial of service and would not allow using this deprecated version of the app.
Some of this problem can be addressed by using Public-key Pinning.
The Bottom Line
However Certificate Pinning has certain issues and hacks available in the market, it is highly recommended to use pinning either by certificates or by the public key of the certificates as it works to a large extent when it comes to security. OWASP recommends pinning all the time.
Authored By - Sourabh Kumar Jain
TCS Enterprise Security and Risk Management
Rate this article: