SSL Pinning for Increased App Security

Written by: on March 19, 2013

Using SSL for network connections is the de facto method of ensuring secure data transmission in today’s mobile apps. A few articles have recently been published, including one by our own QA Lead – Nick Arnott, that show some apps that use SSL are not taking the extra step necessary to ensure eavesdropping cannot occur on the data connection. This “extra step” is known as SSL Pinning.

The default way iOS SSL connections work is as follows. The client makes a connection to the server and the server responds with its SSL certificate. If that certificate was issued by a Certificate Authority that is trusted by the OS, then the connection is allowed. All data sent through this connection is then encrypted with the server’s public key. The part that is of interest to us is “trust.” For an attacker to perform a “man in the middle” attack, the mobile device would have to trust the attacker’s certificate. It is very unlikely that the attacker possesses a trusted certificate and therefore this is normally not an issue. However SSL weaknesses have happened before and using SSL Pinning can mitigate this possibility.

It is also possible that the user herself is intentionally acting as the attacker in order to inspect the encrypted network traffic. The user may be using Charles or mitmproxy to manually install a trusted certificate. While perhaps having a perfectly legitimate reason to do this, the user might instead be trying to find an exploit in your web service. Your app has the ability to use SSL Pinning to avoid this type of snooping.

So What Is SSL Pinning?

SSL Pinning is making sure the client checks the server’s certificate against a known copy of that certificate. Simply bundle your server’s SSL certificate inside your application, and make sure any SSL request first validates that the server’s certificate exactly matches the bundle’s certificate.

The method used to do this is: connection:willSendRequestForAuthenticationChallenge: inside the NSURLConnectionDelegate protocol. This method gets called when an SSL connection is made, giving you, the programmer, a chance to inspect the authentication challenge and either proceed or fail.

The code below shows how you can check the certificate sent by the server, with a known certificate embedded in your applications.

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0);
NSData *remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate));
NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"];
NSData *localCertData = [NSData dataWithContentsOfFile:cerPath];
if ([remoteCertificateData isEqualToData:localCertData]) {
NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
[[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
}
else {
[[challenge sender] cancelAuthenticationChallenge:challenge];
}

I have created a sample project so that you can try this out for yourself. You can find my SSL Pinning sample application on Github.

Problems

The certificate embedded in your app will eventually expire. Your have to either plan for an app update that contains an updated certificate, or code a way for the application to download the new certificate.

For some apps, SSL Pinning may be impossible to do. If your app allows users to enter in their own domain names to connect to services, then you have no opportunity to embed that certificate. However if your app is intended to connect to a known server, or set of servers, you have all the information you need to guarantee that client is indeed talking directly to the server and without a man in the middle eavesdropping.

Jay Graves

Jay Graves

Jay is the Chief Technology Officer for POSSIBLE Mobile, a leading mobile development company. Jay’s expertise developing apps for some of the world's top brands has made him a respected leader in the space, with his work being featured on television, in iTunes and on devices inside Apple retail stores.
Article


Add your voice to the discussion: