Recent news stories1 have brought attention to a research paper (“Spinner: Semi-Automatic Detection of Pinning without Hostname Verification”2) published this week highlighting man-in-the-middle (MITM) vulnerabilities in a number of public mobile apps. The vulnerability springs from a failure to validate that the hostname on the certificate matches the actual host to which an app connects. Drawing attention to and explaining mobile app security issues is good for enterprises and consumers alike.
Fortunately for NowSecure customers, the NowSecure Platform™ has always tested mobile apps for certificate pinning and proper certificate validation – including hostname validation. The NowSecure mission is to educate customers about the latest mobile security threats and help them maximize the security of the mobile apps they use and develop. Because a number of organizations have asked us about the issue, in this post we will explain how NowSecure has always tested for this issue and provided actionable recommendations for what enterprises need to do to protect themselves.
NOTE: If you are not a protected customer but you have an app in production and are concerned about your exposure, please email us at [email protected] explaining your issue and we will respond quickly to see how we can help.
How NowSecure Protects Customers Against This Mobile Vulnerability
NowSecure has long known of this particular mobile app security weakness. And because we approach mobile app security testing from the attacker’s point-of-view, we’ve always identified this flaw in any app we test and provided recommendations for how to mitigate the risk. Long story short, NowSecure customers that have had their apps tested with the NowSecure Platform and/or by our expert penetration testing services and followed recommendations, their apps are safe from this attack.
In testing the security, privacy, and compliance of mobile apps, it’s just not good enough to look at underlying code. In this threat scenario, merely reviewing the code might result in a “pass” because the code would indicate that the developer implemented certificate pinning.This is why mobile app security testing must include the complete suite of static, dynamic and behavioral analysis.
At NowSecure, we go deeper. Our automated technology (NowSecure Workstation™, NowSecure AUTO™, and NowSecure INTEL™) and expert penetration testing team assess mobile apps from the attacker’s perspective to actually execute a MITM exploit against the app for a deeper, more accurate security assessment.
Because NowSecure actually executes multiple network attacks when testing an app, we know whether we can intercept data. We do not stop at detecting a pinned certificate – for example, among other techniques, we will attempt to make a insecure connection with the app using a certificate with an invalid hostname or using an untrusted certificate. The NowSecure Platform will alert on the fact that any attempts at certificate validation or pinning were not effective.
Inside Certificate Pinning Mistakes: Lack of Hostname Validation
The paper’s authors evaluated a total of 400 apps and found that 8 of them merely validated the certificate authority (CA) — i.e., the issuer of the certificate — and not the hostname. In that scenario, the security problem is that a malicious individual could procure a certificate from the same CA to execute a (MITM) attack an the app and its user and pilfer any data sent by the app and intended for the host.
All of the vulnerable apps have since been patched according to the researchers. But, it calls attention to the fact that some developers do not pin and validate certificates properly. Proper certificate pinning remains a highly effective countermeasure for MITM attacks, but can be challenging to implement and should not exclude other certificate validation checks. If certificate pinning is done incorrectly developers may have a false sense of security.
Some reporting suggests that the paper exposes flaws in certificate pinning itself, which is fundamentally wrong. Certificate pinning is one of the best ways to protect mobile apps and their users from MITM attacks — the reported flaw is in the implementation of certificate pinning rather than the use of certificate pinning itself as a core mobile app security strategy. In other words, if you use certificate pinning in your mobile apps, we applaud you. Keep it up — just ensure that you’re implementing it correctly by testing your apps before deployment.
Having tested millions of Android and iOS apps over the past decade, we’ve evaluated a large number of implementations of certificate-pinning. Below are three questions you need to ask about your certificate pinning practices to determine whether you’re implementing it correctly and protecting your app against vulnerabilities such as failing to verify the hostname on a certificate.
Is the app pinning the Certificate Authority (CA)?
- This means the app puts a whole lot of trust in the CA by accepting any certificate for the domain in question signed by that CA using a root certificate (the end-all, be-all top of the certificate chain of trust).
- Security and validation practices for issuing certificates can vary from CA to CA, and several CA’s have been breached in recent years with bogus certificates created as a result.
- A malicious individual could use a certificate issued by the same CA and hijack the connection.
- Combining this approach and a lack of hostname validation seriously weakens the security of an app’s host connections.
Is the app pinning to an intermediate certificate?
- An intermediate certificate is a step down in the hierarchy from the root certificate mentioned above, but has similar problems.
- The certificates at the bottom of the chain of trust — “leaf” certificates discussed below — can be signed using an intermediate certificate.
- And so, if a malicious individual can procure a certificate for the domain in question signed by an intermediate certificate, again, that attacker can hijack the connection because their certificate will be trusted by the app.
Is the app pinning the public key of the actual leaf certificate?
- NowSecure has recommended this best mobile app security practice for years — rather than pinning only to the CA or intermediate certificate, we recommend pinning to the actual leaf certificate.
- Every certificate includes a public key associated with the private key, which can be pinned within the app.
- This approach ensures the app trusts only certificates you have signed, which an attacker cannot spoof.
- Some people protest that this method makes rotating expired keys a hassle, but, as we’ll explain below, there are ways to both pin the public key and facilitate certificate rotation without having to update and re-release an app (allowing you to replace a certificate and still have older app versions function even without an update).
How to do certificate pinning in mobile apps and account for certificate expiration/rotation
Developers sometimes take shortcuts like CA pinning (or avoid certificate pinning altogether) to avoid having to release new app versions when certificates expire and need to be swapped out. However, there is a method to properly implement certificate pinning and allow for rotation of certificates without any interruptions in service:
- Pin based on the modulus of the public key, which represents a unique identifier for the private key
- Comparing the public key modulus and the private key modulus, you can ensure the app trusts the proper certificate (or more importantly, doesn’t trust any other certificates)
- Pinning using the modulus allows you to renew the public key and swap it out as long as the private key does not change
- Include two modulus signatures in the app — one for active use and one for future use with the private key stored offline
For more detailed information about implementing certificate pinning in your Android and iOS apps, see our “Mobile man-in-the-middle attack prevention” blog post.
If you worry that your current mobile app security practices or technology fails to identify certificate pinning or certificate hostname verification, we can show you how NowSecure technology or services can augment your current approach and make your mobile apps more secure and compliant — e-mail us now at [email protected] or fill out our contact form.