1

I am making a webview that is going to be part of a native iOS and Android app, I implemented the webview using HTTPS as a protocol, and developed my NodeJS app there.

But the security team from where I work, came with the following situation:

"what if the phone that has the app is connected to a malicious router, and redirects the URL of the webview to another IP with has a server with malicious content"

And he told me to use SSL Pinning to fix the problem, but I'm not sure that this scenario can happen because I'm using HTTPS, I believe that HTTPS only already gives the protection I need against MITM.

If the router redirects the URL to a malicious server, the server will never have access to our SSL/TLS certificate, it can self-sign one, but it will never have the CA root certificate signed, so the webview will show "This website is insecure" kind of warning.

He went on, and said that if the user has a compromised device, he can generate his own CA, and put into the client's device, so it will handshake an HTTPS connection, while I see that this can happen, this isn't MITM, and I don't know how SSL Pinning can help in this case either.

The only case I see SSL pinning being useful, is if I want to prevent my URL from opening anywhere other than the app webview, but it is the only situation I can imagine.

Am I thinking the right way here? would love to see you guys opinion in this.

gtbono
  • 693
  • 1
  • 4
  • 6
  • You're right - assuming that your client has the CA certificate installed, so that it can use this to verify the signature by the CA on the server certificate. – mti2935 Dec 04 '20 at 22:03
  • Although cert pinning adds extra layer of protection, many tools drop this feature due to maintenance complexity when you urgently need to replace the key. In the past, Google actively used HPKP in Chrome, but it raised more issues in long-term run than benefits and abandoned pinning eventually. I would think seven times before choosing pinning. – Crypt32 Dec 05 '20 at 11:12

1 Answers1

3

If you use https as protection you basically trust the whole set of authorised CA’s. Any one of them can (through trickery or by intent) issue a valid certificate for your domain.

There is also the case that there are quite a few corporations / schools that require you to install their CA root certificate (with a lot less protection than the commercial CA’s)

You also have the people that use tools like burp suite to intercept the traffic between the app and your server.

Certificate pinning protects against all these issues. It will prevent a different server from talking with your app. Whether targeted and on purpose or malicious and criminal, it’s usually a good idea to add the layer of protection that pinning the certificate will add even with the additional effort of maintaining it.

In short, certificate pinning is another layer for defence in depth, making it harder for both malicious as criminals from abusing the app and your server for any purpose other than the intended.

LvB
  • 8,217
  • 1
  • 26
  • 43
  • "You also have the people that use tools like burp suite to intercept the traffic between the app and your server." HTTPS alone protects you from this, you don't specifically need certificate pinning for that, right? – gtbono Dec 05 '20 at 03:37
  • How does https help against burp suite being in between (MiTM) your server and the app. It behaves as a “proxy” specifically to do MiTM analysis. – LvB Dec 05 '20 at 04:25
  • 1
    @gtbono When using Burp Suite, the user almost always installs Burp's root CA certificate, and Burp then uses that root CA cert to generate its own cert for any site you request. Because your computer trusts Burp's CA cert, it trusts the site certs that Burp generates. This is how Burp allows decryption of HTTPS traffic. Now, mind you, blocking that (via pinning) can make security testing harder, and also it's not usually practical to attack somebody through Burp's CA cert (you'd need to not only be attacking a machine with the cert installed, you'd need that Burp install's private key). – CBHacking Dec 05 '20 at 09:00