0

I have found a whitepaper on bypassing ssl pinning. If this is true, how can we securely implement certificate pinning in android apps? Is there any other workarounds possible other than certificate pinning?

Anonymous Platypus
  • 1,392
  • 3
  • 18
  • 33
  • 3
    IMHO, certificate pinning is to defend the user. The paper outlines how somebody could modify the app to remove that defense. Most users will have zero interest, let alone technical ability, to do this. – CommonsWare Oct 20 '15 at 11:49
  • May be I don't have better understanding on certificate pinning. I am reading [this](https://security.stackexchange.com/questions/29988/what-is-certificate-pinning?s=2|2.9554) now. – Anonymous Platypus Oct 20 '15 at 12:23

1 Answers1

4

The document you linked to details how the author bypassed pinned certificate validation in two different ways : by disassembling the application, removing the check and rebuilding the APK or by changing the certificate in the application keystore. Both method require a high degree of access to the application.

There are no way to fully protect your application against this. That is one of the reason why you should never trust the client.

However, these attacks requires the attacker to be able to replace your application with the modified version. If the attacker is the owner of the device, you simply cannot prevent it. Otherwise, the best you can do is rely on the OS security and warn your users not to root their devices.

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • So, you are concluding that certificate pinning is the best solution to this category of issues, other than simply using ssl, rite? – Anonymous Platypus Oct 20 '15 at 12:12
  • 2
    No, I'm concluding that, as @CommonsWare commented, SSL certificate pinning isn't intended to protect the server against an indelicate client or protected the client code from modification, it's there to protect the client against a MITM attack. – Stephane Oct 20 '15 at 12:14
  • So, the client will not be vulnerable unless he is using an unofficial (or tampered/modified) app if we have properly implemented ssl pinning in the official app. Can I assume so? – Anonymous Platypus Oct 20 '15 at 12:21
  • 1
    As long as 1/ you keep your server certificate secure 2/ the client is unmodified, then your client will be well protected against MITM attacks. – Stephane Oct 20 '15 at 12:23