Approov introduced the Mobile Certificate Pinning Generator, a free tool to help mobile-first companies make Man-in-the-Middle (MitM) attacks targeting mobile app APIs a thing of the past. It enables organizations to simplify what has long been a complex and little understood recommendation: certificate public key pinning.
Without the use of certificate pinning, connections are only secured by the trust store held on the client device. This trust store can be manipulated by an attacker to allow data interception. Furthermore, interception becomes possible if any trusted Certificate Authority (CA) were to issue a fraudulent certificate, allowing backend servers to be impersonated.
The Open Web Application Security Project (OWASP) recommends: “You should pin anytime you want to be relatively certain of the remote host’s identity or when operating in a hostile environment. Since one or both are almost always true, you should probably pin all the time.”
However, recent research reveals that certificate pinning is not widely used, even in critical industry verticals such as financial services and healthcare.
Certificate public key pinning lets an app definitively confirm the identity of any server it is connecting to, preventing any possibility of data interception. Certificate pinning is widely recognized as an effective defense against MitM attacks. Indeed, in recent years, both Google and Apple have moved to integrate certificate pinning capabilities directly into their mobile Operating Systems. However, providing the correct pinning configuration remains complicated but this is now addressed by this new free tool.
Cybersecurity researcher Alissa Knight said: “In my research on the security of financial and health care apps, Woman in the Middle attacks were a primary attack surface I could exploit, since in all cases pinning was not implemented and its absence was easy to exploit. I could use the information gained to mount automated attacks on APIs. Pinning the channel between mobile apps and their APIs should be a priority for all mobile-first companies, and would make it much harder for attackers to exploit their mobile apps to exfiltrate sensitive data on them and their customers.”
The pinning generator tool
The free tool from Approov lets organizations more easily deploy pinning across Android and iOS apps. It also provides helpful guidelines to help organizations manage configuration activity.
The tool can automatically extract pins from live APIs and from certificates provided in a wide range of formats. The pin information is generated automatically in the correct form for Android and iOS to be pasted directly into the app’s configuration.
The limitations of static pinning
Some DevOps teams express concern about deploying certificate pinning due to concerns around certificates needing to be changed. Such situations can require the deployment of a new version of the app, with a risk of downtime and some users failing to upgrade. This occurs because the pinning set in the app is static and can only be updated by an app change.
Moreover, the generator tool provided pinning mechanism may not support the full range of Operating System versions that the app may need to be deployed onto.
Security-aware organizations are deploying the Approov solution, which protects against automated attacks on APIs, but also manages pinning using an innovative dynamic approach.
The Approov API Threat Protection Platform provides:
- Full dynamic pinning capability: pins can be updated over-the-air as required without the risk of app downtime due to a certificate change,
- Pinning implementations across a wide range of frameworks supporting Android 5 or iOS 10 and above, and
- Advanced detection of Frida and other invasive tools, ensuring the server side can thwart attempts to bypass pinning for MitM analysis.
Anatomy of mobile app API attacks
Attacks enabled by MitM analysis are a real and growing security threat to mobile apps and APIs. They are conducted as follows:
- The attacker intercepts traffic between mobile app and API using a proxy tool.
- The attacker gains secrets and information which can be used to access the API.
- Using the secrets and keys which have been harvested, the attacker creates a script which impersonates the app to the API and accesses unauthorized data.
“Mobile apps are — now more than ever — the lifeblood of organizations large and small,” said Approov CEO David Stewart. “Not pinning API connections is like leaving your front door open to MitM attackers, and organizations must act immediately to deploy pinning. Step one is to put a mechanical lock on the door which will deter many attackers, although it carries the risk of the key being lost or copied. Step two is to employ an electronic lock which can be instantly controlled and remotely configured. Based on our considerable experience of helping our customers, we are well qualified to help accelerate the elimination of MitM attacks completely.”