Skip to content

MASWE-0047: Insecure Identity Pinning

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

Identity pinning (aka. certificate pinning, public key pinning or TLS pinning) refers to associating a mobile app with a specific cryptographic identity, such as a certificate or public key to ensure that the app only communicates with trusted servers.

When a mobile app does not implement certificate pinning, or if it is implemented incorrectly, the app remains vulnerable to Machine-in-the-Middle (MITM) attacks which enable attackers to intercept and modify the communication between the app and the intended server. This occurs because when the app is presented a fraudulent certificate that the app may unknowingly trust, thereby gaining access to sensitive data or injecting malicious content into the data stream.

Limitations: Certificate pinning adds a layer of trust verification by ensuring that the app only accepts connections to servers with specific, pre-determined certificates or public keys. This reduces the risk of unauthorized interception, even if a trusted Certificate Authority (CA) is compromised. However, it is not foolproof:

  • Attackers who can reverse-engineer the app may analyze and remove or modify the pre-defined pins or the certificate pinning logic to permanently bypass the checks.
  • Attackers who can perform Tampering and Runtime Instrumentation techniques to manipulate the app and bypass pinning checks.

This highlights the importance of implementing certificate pinning alongside other security measures to enhance the app's resistance to advanced threats.

Impact

  • Data Interception: Sensitive data such as credentials, personal information, or financial details can be captured by unauthorized parties.
  • Data Manipulation: Attackers can not only intercept but also manipulate data if pinning is not properly enforced.
  • Denial of Service: Incorrect pinning may cause legitimate connections to fail, leading to service disruptions for users. For example, if a pinned certificate expires and is not updated, the app may be unable to establish secure connections.

Modes of Introduction

  • Improper Configuration of Pinning Libraries: Misconfiguring libraries like TrustKit, OkHttp's CertificatePinner, Volley, or AFNetworking's SSLPinningMode, leading to ineffective pinning.
  • Dynamic Pinning without Security: Retrieving pins dynamically over insecure channels without proper validation, making it easy for attackers to supply malicious pins.
  • Weak Validation Logic: Custom pinning implementations that do not correctly validate the certificate chain or public key. For example, accepting any certificate that chains to a trusted root CA instead of a specific certificate or public key.
  • Lack of Backup Pins: Not including backup pins to prevent connectivity issues if the primary pin is no longer valid.

Mitigations

  • Prefer Platform-provided Solutions: Use platform-provided mechanisms like Android's Network Security Configuration (NSC) or iOS's App Transport Security (ATS) to enforce pinning.
  • Use Trusted Pinning Libraries: Refrain from writing custom pinning logic; instead, rely on established and well-maintained libraries and frameworks (e.g., TrustKit, OkHttp's CertificatePinner) and ensure they are correctly configured according to best practices.
  • Secure Dynamic Pinning: If dynamic pinning is necessary, retrieve pins over secure channels and validate them thoroughly before use.
  • Pin to Public Keys Instead of Certificates: Pin to the certificate's public key rather than the whole certificate to avoid issues regarding expiration and renewals.
  • Consistent Enforcement: Apply pinning uniformly for all connections to servers that you control.
  • Regularly Update Pins: Keep the pinned certificates or public keys up to date with the server's current configuration and have a process for updating the app when changes occur.
  • Implement Backup Pins: Include backup pins (hashes of additional trusted public keys) to prevent connectivity issues if the primary key changes.