DEV Community

Cover image for Certificate Pinning Explained: Everything You Need to Know
Eden Allen
Eden Allen

Posted on

Certificate Pinning Explained: Everything You Need to Know

If you are a medium or small business owner, keeping your mobile applications safe for you and your customers is important. However, most business owners think using SSL and HTTPS is enough to give them security. It is not true.

Neither SSL nor HTTPS can provide you with full security from hackers. Right now, certificate pinning is a method that helps you the most to make your website traffic secure.

In this guide, we will explore everything from what certificate pinning is to how it saves your application from man-in-the-middle attacks.

So, let's get started!

Certificate Pinning

Certificate pinning is a security technique that prevents Man-in-the-Middle (MitM) attacks. When one of your clients connects to a web server, it will look for a digital certificate presented by the server to ensure that it has been issued by a trusted Certificate Authority.

But his checking and verifying process is vulnerable to MitM attacks. The hacker presents a fake digital certificate by intercepting the traffic in this attack.

Certificate pinning helps to fight against this vulnerability by allowing the clients to specify one or more digital certificates that would be used by the web server. So, when any client connects to the server, the expected certificates are verified. If the certificates don't match, then it will end the server connection or raise an alert

In certificate planning, we add a domain name with one or more digital certificates. So, whenever the app establishes a connection with the server, a handshake takes place and both parties exchange messages between them. With this connection, they also establish the encryption algorithms and set the session encryption keys.

During this handshake, the device only receives the server certificate chain after confirming one or more certificates in the chain are trusted ones. The certificate pinning process makes sure that the connection between the app and the official backend is established.

The main purpose of this pinning is to prevent Man-in-the-Middle attack. It also prevents the encrypted data between the app and the backend from getting manipulated by a 3rd party.

How Does Certificate Pinning Work?

Now that we have understood what certificate pinning is, let us understand how pinning works.

Standard Certificate Validation

In a regular certificate-pinning handshake, the client connects to a server and the server presents the client with a digital certificate. Then, the client checks the authenticity of that certificate by verifying that the certificate is signed by a trusted Certificate Authority.

They also check for if the certificate has been expired or manipulated. If all these checking gives the client a clear signal, then they proceed with the connection.

Pinning Trust

With certificate pinning the client can take the trust verification a step further. With this process, they don't have to only rely on the Certificate Authority system. Because their application or device will have a pre-configured list of digital certificates can can be trusted.

Man-In-The-Middle Attack

We are learning so much about certificate pinning, but it's also important to know what the Man-In-The-Middle attack is and how it works.

When the client uses the mobile application of a business, they make a call according to what they think the server of the business is. But this process is vulnerable to hackers as they can intercept this call and then relay it to the server.

This process gives the man in the middle permission to get the server's public key and the hacker passes their public key to your client. The attacker can now talk to both the server and the client, but the server and the client are not able to talk to each other.

The hacker gets access to any data passed between your server and the client. They can also modify the data being sent according to them.

Implement Certificate Pinning

Now, we will discuss how you can implement certificate planning in your mobile application.

SSL and Certificates

Before you try to implement certificate pinning, it's essential to understand what is SSL certificates and how they work. When a mobile application communicates with a server through HTTPS, the server provides the application with a digital certificate to prove its authenticity. This certificate is signed by a certificate authority.

With certificate pinning, you don't have to put your entire trust in the certificate authority, instead, you can specify which certificates your app is going to trust with certificate pinning.

Select Certificates

The next step is choosing the digital certificates your app is going to trust. If you prefer, you can keep or extract the public keys from the certificate. These certificates are the ‘pins' in the pinning process.

Integrate a Library or Implement It Manually

Implement certificate pinning in the app by using a dedicated library or you can manually code it. There are many libraries available online that give you pre-built functionality for certificate pinning.

If you want to do the process manually, then intercept the SSL connection and verify the server's certificate if it matches the pinned certificates. In a manual implementation, you will have to code the logic for certificate validation.

Implement Pinning Logic

If you code the pinning logic manually, you need to intercept the SSL communication between the app and the server. Then, you have to extract the server's certificate from the handshake and compare the extracted certificate with the pinned certificate on the app.

If it matches, then the connection can be built. If it doesn't match, terminate the connection or take necessary security measures.

Read the full article - https://cheapsslweb.com/blog/what-is-certificate-pinning-a-detailed-guide/

Top comments (0)