Securing mobile apps – Preventing MiM attack
Here are a few ways to prevent Man In the Middle attacks in iOS and android platforms by implementing certificate pinning as a security measure.
A key differentiator of successful mobile apps today is that they provide contextual, relevant and personalized information to their users. As the apps capture personal data like email and location, developers now have a larger role to play in enabling secure data transmission and use.
Here are a few ways to prevent Man In the Middle (MiM) attacks in iOS and Android platforms by implementing certificate pinning as a security measure.
What is MiM?
A man-in-the-middle (MiM) attack is a cyberattack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other.
Why do we need certificate pinning?
MiM attacker can impersonate the actual service and thereby take complete control of the application. It is here that certificate pinning is introduced to minimize opportunities for gaining wrongful access to the service.
When should certificate pinning be deployed?
While keeping user information secure is vital to any application, certificate pinning is essential for apps that handle sensitive user data like email address, credit card information or some related data over network which can alter reputation of an individual.
Certificate pinning in iOS
Certificate pinning in iOS can be achieved by using Security Framework or by any third-party software developer’s kits like TrustKit.
Security framework provides two methods for pinning:
In the first case, the actual certificate is bundled into an app. When user information is loaded, the software matches it with the data in the certificate, which is obtained from the server. The programme proceeds only if the comparison is successful – else, it fails to establish the connection. Certificates are issued by secure hosting providers. It is obtained by placing a request or by enquiring with ssllabs.com. One way in which iOS implements certificate pinning is by copying these files to the application bundle and then perform the validation while application is running.
In the second method, public key hashes are saved within the app. They are then extracted from server certificates. The
program then proceeds in the same manner as the first case.
In case of iOS app, pinning with public key hashes with multiple certificates for same host was available only from iOS 10 as per built in Security Framework by Apple.
Securing an Android App
To prevent Man in the Middle Attack, an Android app trusts all pre-installed certificate authorities. However, apps have the freedom to choose the certificate pinning. If a certificate is one of the public keys provided, it is considered valid and is trusted.
Certificate pinning for android app can be obtained by using a third-party library like OkHttp. When using OkHttp, you need the hostname and the set of hash of public keys of the certificate you trust. The OkHttp client is then instructed to trust only those certificates.
Implementing certificate pinning for Tesco’s Clubcard – a case study
Tesco Clubcard is part of the loyalty programme used by customers at Tesco supermarkets. With Tesco services, each host is pinned with three certificates of which one is Tesco trusted certificate and other two are common for all hosts provided by a third party vendor, Entrust. The common Entrust certificate, which lies on each host, has a longevity of six years or more whereas the Tesco certificate expire after two years. Hence, we give high priority for the Tesco trusted certificate to be validated first. If the initial validation fails (or certificate expires), we then move on to compare the other two certificates and proceed. In case of complete failure, we cancel the handshake.
Overcoming certificate pinning of Clubcard with iOS
Despite Clubcard being compatible with iOS 8, we had multiple condition checks in code. Even though this was serving the purpose of pinning, the implementation was not satisfactory.
To overcome this issue, we implemented pinning with TrustKit, the recommended pinning SDK by OWASP (Open Web Application Web Project). With TrustKit, we provide public key hashes of each host in a key value pair format. Once host is called from the app, TrustKit obtain hashes saved in app and compare with the one obtained from server and takes the decision. With an on/off toggle functionality in TrustKit, we can enable or disable pinning within the code if required.
Bittu Davis is software development engineer at Tesco in Bengaluru.