Data Theorem’s TLS pinning protects data from eavesdropping

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.

Data Theorem announced that mobile applications equipped with TrustKit, Data Theorem’s Transport Layer Security (TLS) pinning library, protect the transmission of data. The new level of mobile app security ensures user privacy, maintains data integrity, and blocks unknown attackers.

TLS pinning stops eavesdropping and HTTPS man-in-the-middle (MiTM) attacks. Accessing medical records or bank statements is safer through mobile apps with TLS pinning than through a hospital or banking website via a web browser.

While TLS pinning has existed as a concept, Data Theorem’s TrustKit, a free open-source security library, is the solution to ease the equipping of mobile apps with TLS pinning.

“TLS pinning ensures that mobile apps are less likely to be vulnerable to certificate attacks – which ultimately can enable man-in-the-middle attacks and eavesdropping,” said Professor Dan Boneh, head of the Stanford University Applied Cryptography Group and co-director the Stanford Computer Security Lab.

“It is particularly valuable when connecting phones to a mobile hot spot or to a hotel Wi-Fi where you have little control over how your data is routed. It is also important when connecting in less stable countries where you might be worried about the certificate infrastructure.”

TrustKit has a growing community of application developers, allowing it to further “anti-eavesdropping” as a new standard in mobile app security. Data Theorem announced that TrustKit has identified more than 100 million eavesdropping attempts on iOS and Android applications, where apps in active mode have blocked 100 percent of those attempts.

TLS pinning is a security capability to prevent active eavesdropping (MiTM). TLS Pinning ensures the client checks the server-side certificate against a known copy of that certificate before executing any network communication.

Browser vendors have moved away from pinning since Web browser pinning (aka HPKP) required effort for site operators to maintain properly, and it could not be used against all other sites. The ability to update certificates on mobile platforms is better than with desktop web browsers.

“Thanks to the effort of the TrustKit community, customers are developing mobile applications that are more secure than their web browser equivalents,” said Alban Diquet, Data Theorem Head of Engineering and author of TrustKit.

“TrustKit is the industry’s first solution to offer mobile app developers an easy-to-use TLS pinning SDK to encrypt network communication for mobile apps. One of the benefits of TLS pinning on mobile is actively stopping threats to organizations that are commonly introduced by mobile device spyware and compromised Certificate Authorities (CA).”

While the TLS pinning concept for mobile apps is well known, it has been difficult and time-consuming to implement (TLS pinning in mobile apps requires both operational and code-level changes). TrustKit facilitates code-level implementation by providing a “drag and drop” TLS public key pinning library.

Whenever an eavesdropping attempt occurs, the TrustKit library within the app sends a notification report back to Data Theorem for the delivery of analytics, visualizations, and alerts of malicious attacks and potential downtime.

Download and availability

Data Theorem’s TrustKit is available free for open source developers and users.