Security in Mobile application part1(Certificate Pinning)
Hello Everyone, This is the part of the series we started for “Security in Mobile application” and our earlier article was based on HTTPS and its implementation. If you haven’t read it yet then please visit the article below where we discussed the basics of HTTPS and its internal functioning for TLS handshaking.
In this article, we are going to discuss one of the ways by which hackers can hack HTTPS and get your confidential information.
For any communication to start first handshaking has to take place for any TLS or SSL communication. For setting up the connection, the server sends a certificate which is signed by Certificate Authority(CA) and CA is signed by root certificate. Root certificates are self signed and pre installed in devices. Just to give the idea of how certificates look and their signing hierarchy please have a look at the below screenshot which is taken from this webpage only.
From the above given screenshot, we can see “Baltimore CyberTrust Root” is signed by “Cloudflare Inc ECC CA-3" which is signed by “medium.com”.
So, while having the handshaking between client and server, a hacker comes and starts presenting itself as the legitimate server by providing another certificate.
Below diagram shows server sharing certificates with client:
Now, if Man in the Middle(MITM) attacks happen and server-client connection may be hijacked by a hacker and he starts sharing his certificate with a client which was signed by CA and CA was signed by root certificates. These root certificates have global acceptance so the client must have these root certificates installed in his device. Pictorial representation for the same scenario will be like below:
Now, MITM blocks the communication between client and server and starts a new connection with client and server by itself. Now any information shared by client can be read by attackers as they have shared their server information and all the secret information will be shared with Hijackers.
How to prevent Man in the middle attack
To prevent such attacks we can take various steps and among them one good and effective step is Certificate Pinning or Cert Pinning in short.
What is Certificate Pinning:-
Certificate Pinning is pinning the certificate on the client side which the client expects to receive from the server at the time of handshaking. So client hard code the certificate into the local code. Client either can save the whole certificate or extract the public key out of it and save in the local code.
How Certificate pinning helps in MITM attacks:
Now the client has the certificate saved in its local code and at the time of handshaking it expects to receive the same certificates from server. If an MITM attack happens and attackers will share it’s own certificate to complete the handshaking which when received and validate by local certificate stored at client side throws an error and client stops all connection with that server knowing that some suspicious server is trying to connect with client.
Different ways to do cert pinning
This we can done by 2 ways which has their own advantage and disadvantages:
- Save the whole certificate in the local code base
- Save the public key in the local code base
Let’s consider our first case where we are storing certificates then if that certificate expires or it’s CA authority revoked these certificates then we need to recompile our application and upload a new build to the store with valid certificates. This hassle can be avoided by using a public key which can be extracted from the certificate and can be used directly.
For monitoring purposes we can also use some library to track our network calls. This tracking will make sure that we are connecting to the server whom we want to connect. Popular library we generally use to track network data is Charles Proxy. A lot is written on this so I believe we shouldn’t spend much time on tracking network calls.
This is all about certificate pinning. My focus was mainly on the technicalities so I avoided to go into coding part which anyway was available widely.
Please write back and share your feedback or any enhancement you want in this tutorial.
This was the second article for our series on Security in Mobile application. If you by any way missed the first part then please visit the article below.
Our next Article is based on Jailbreak devices and the possible security issue because of Jailbreak device. Please follow below link to read more about Jailbreak devices and security issues.
Saying goodbye for now and will see you in our next blog😊
