SSL (Secure socket layer) Certificate Pinning, or pinning for short, is the process of associating a host with its certificate or public key. Once you know a host’s certificate or public key, you pin it to that host.
In other words, you configure the app to reject all but one or a few predefined certificates or public keys. Whenever the app connects to a server, it compares the server certificate with the pinned certificate(s) or public key(s). If and only if they match, the app trusts the server and establishes the connection.
You usually add a service’s certificate or public key at development time. In other words, your mobile app should include the digital certificate or the public key within your app’s bundle. This is the preferred method since an attacker cannot taint the pin.
Before we jump into SSL pinning we need to understand how HTTP and HTTPS work, here is a well-animated explanation from PowerCert Animated Videos
When the app tries to establish a connection to a server, it doesn’t determine which certificates to trust and which not to. The app relies entirely on the certificates that the iOS Trust Store provides or Android CA’s provide by Google
This method has a weakness, however: An attacker can generate a self-signed certificate and include it in the iOS/Android Trust Store or hack a root CA certificate. This allows such an attacker to set up a man-in-the-middle attack and capture the transmitted data moving to and from your app.
Restricting the set of trusted certificates through pinning prevents attackers from analyzing the functionality of the app and the way it communicates with the server.
How to Find the version of the Trust Store installed on your iOS and iPadOS device
- Tap Settings > General > About
- Scroll to the bottom of the list
- Tap Certificate Trust Settings
How to View Trusted Root Certificates on an Android Device
- Open Settings
- Tap “Security & location”
- Tap “Encryption & credentials”
- Tap “Trusted credentials.” This will display a list of all trusted certs on the device.
You can also install, remove, or disable trusted certificates from the “Encryption & credentials” page.
To understand SSL Certificate Pinning, you should first grasp the essence of TLS and its cryptographic underpinnings.
Check out this blog for more details on Understanding TLS and Digital Certificates
If you want to implement pinning — which it seems you do since you’re reading this tutorial — you can decide between two options:
- Pin the certificate: You can download the server’s certificate and bundle it into your app. At runtime, the app compares the server’s certificate to the one you’ve embedded.
- Pin the public key: You can retrieve the certificate’s public key and include it in your code as a string. At runtime, the app compares the certificate’s public key to the one hard-coded in your code.
Choosing between these two options depends on your needs and server configuration. If you choose the first option, you need to release a new version of your app when your server rotates (changes) its certificate or it will stop working. If you choose the second option, it may violate the key rotation policy because the public key doesn’t change.
Now you got the grasp of what is SSLpinning and how it works, let's dive into how to enable SSLPinning in Android
