Hi Guys, This is Shikhar Gupta, with this writeup I am starting my new mobile penetration testing series for android applications.
SSL or Security Socket Layer is a technique or arrangement to secure communication between two entities. When two devices connect, the sender and receiver must be assured that no third party can listen to or access their communication. SSL pinning is one of the ways to ensure this.
Mobile apps commonly use SSL to safeguard transmitted data from eavesdropping and tampering while communicating with a server. SSL implementations in apps trust a server that has a certificate-which, in turn, is trusted by the operating system’s trust store (by default). The operating system includes a list of certificate authorities in this storage.
The developer configures SSL pinning in the app to reject all but one or a few predefined certificates or public keys. Whenever the app connects to a server, it compares the server certificate with the pinned certificates or public keys. If and only if they match, the app trusts the server and establishes the connection.
When the application attempts to establish a connection to the server, it doesn’t determine which certificates to trust and which not to. The app relies entirely on the certificates the iOS Trust Store provides or Android CA’s provided by Google.
This method has a loophole, An attacker can generate a self-signed certificate and include it in the iOS/Android Trust Store or hack a root CA certificate. (Just like the burp’s CA Cert which we will be adding later on, to capture the request and responses 😉 ) This allows such an attacker to set up a man-in-the-middle attack and capture the transmitted data moving to and from your app.
Restricting the set of trusted certificates through pinning prevents attackers from analyzing the functionality of the app and the way it communicates with the server.
- Open Settings
- Go to security & location.
- Go to encryption & Credentials
- Tap on Trusted credentials; this will show you all the trusted certificates.
You can install, delete or disable any trusted certificate from the trusted certificate list.
You can choose any one of these three SSL pinning types based on the level of security protection you require.
- Leaf Certificate — Pinning to the Leaf certificate guarantees that your certificate and chain are 100 % valid. However, this type comes with a very less expiry time.
- Intermediate Certificate — Signing the intermediate certificate denotes that you are trusting your CA. If you want to keep your CA, this is the most recommended SSL pinning type.
- Root Certificate — It is also known as a self-signed certificate and you can employ this type to sign other documents. You should have a strong certificate validation to ensure your CA won’t be compromised.
- SSL Pinning provides us with better and tighter security.
- It protects the clients and servers from establishing an unsafe connection due to certificate mis-issuance.
- With SSL pinning, there won’t be any eavesdropping and exposure to device malware.
- It instantly detects and reports MITM attacks.
- SSL pinning provides some level of protection from DNS poisoning attacks.
- Without hashing, changing the certificate and public key becomes a nuisance.
- With the SSL certificate pinning integrated into an application, it is difficult to insert additional security solutions.
Now I think you may have an idea of what is SSL pinning and why we implement it in android applications. So, let’s see how we can Bypass SSL Pinning in Android applications.
Continue —> Bypass SSL Pinning in Android Phones — Part 2
