Putting TLS Pinning in Your Mobile Apps

For mobile applications, Transport Layer Security (TLS) certificate pinning goes a long way toward building security into an app and enhancing user and data privacy. The successor protocol to Secure Sockets Layer (SSL), TLS provides privacy and data integrity between two communicating entities, such as a mobile app and a backend API. 

TLS pinning is the process for an application to establish an exact verification of the certificate to a backend service. It further eliminates the possibility of a man in the middle (MiTM) attack between the application and the backend service it intends to communicate with.

If there is evidence of MiTM, the connection between the two legitimate entities can be stopped so that no data is passed over a risky connection. So why should your developers be putting TLS pinning in your mobile apps?

Increase the cost to attack your app
If a cyber-criminal wants to attack a mobile device, they will often start by attacking through the networks it uses to break the encrypted network transport and then exploit vulnerabilities within the app itself. TLS pinning increases the cost to attack your mobile app because it’s very hard to break the encryption that shields it from malicious packets sent through the encrypted channel. 

Strengthen user and data privacy
With TLS pinning, app data is encrypted across the network and does not allow third party inspection. TLS pinning adds an anti-eavesdropping communication channel that delivers privacy protection for users and their data.  

Mitigate exposure to user device spyware and authorized eavesdropping
There’s an explosion of spyware happening on Android and iOS as users unwittingly install apps that contain malicious VPN configuration profiles, which configure the user's device to send all network traffic to the app creator's server.

TLS pinning on a banking app mitigates third party data mining by limiting the exchange to only the two authorized entities—the mobile app itself and the bank’s backend API service it is expecting to talk to. If the device has spyware, which acts like a third party MiTM, the traffic of the pinned app isn’t vulnerable. 

Counteract the problems from a compromised CA
A CA is considered to be the arbiter of truth for the validity of an application’s certificate, but there are times when they can be compromised, which in turn compromises the certificates it verifies. 

It’s also possible to encounter a compromised CA in countries where the government wants to tightly control users’ access to the internet. In this case, the government does the eavesdropping on its citizens. Once there is a compromised CA in the chain of trust, someone can get in the middle of all the encrypted conversations of TLS. 

With TLS pinning, it doesn’t matter if there is a compromised CA on the network. An app’s communication is pinned directly to a very specific TLS certificate on the other side. If there’s ever a mismatch, it doesn’t matter that the compromised CA is saying the certificate is valid—the connection will be terminated, and traffic disallowed.
Report and analyze eavesdropping attempts
If the developer has a TLS reporting infrastructure, he can get a report every time eavesdropping or an MiTM attack is attempted on the app. By analyzing the reports, the developer can see trends emerge. For example, there is a spike in eavesdropping attempts from a particular country, which could indicate that something is systematically attacking a specific company, application or group of people.

In effect, all the app users become a sensor network to detect when MiTM attacks happen. Without TLS pinning and an associated reporting infrastructure, it’s challenging to find trends and alert on specific types of attacks.

When TLS Pinning Isn’t Helpful
TLS pinning can be incredibly helpful in securing a mobile app and the data it transports, but this technique isn’t a silver bullet. There are times when it doesn’t provide its key benefits, specifically when the mobile device is jailbroken. At that point, the CPU and all the memory of the mobile device are completely compromised, and there’s nothing at the application encryption level to stop data theft.

Once the phoned is “owned” at the root level, TLS pinning won’t protect against reverse engineering of the communication between an app and a backend API service.

Mobile apps with anti-eavesdropping protection via TLS pinning are more secure than their web app counterparts because web browsers do not support this security approach. Users want to know their data and information is secure and private.

Mobile app developers can use TLS pinning as a competitive advantage over other apps that don’t or can’t use this security feature. With a free SDK downloadable from GitHub, deployment of TLS pinning is easy and the value is high.

What’s Hot on Infosecurity Magazine?