Posts

Showing posts from December, 2017

Certificate Pinning in mobile apps

What is certificate pinning:
Certificate pinning is an countermeasure to any attempt of MITM (Man in the middle) attacks where an attacker tries to inject his own certificate to sniff the traffic between the client and the server.

Why cert pinning is required:
The question here is why it's required for mobile apps, why not for browsers? The reason is mobile apps are very obscure and very difficult to get about what's going behind the scene. The end user does not get any warning from the app about any possible malicious activities going on. However in case of a browsers on desktops the user is presented with various warnings about TLS such as domain name not matching etc. This alerts the user to sense that something is not right there. And he has option to accept/ reject it , while in mobile apps it's not the case.

How to do it:
Generally it's done on code level, where the developer binds (pins) a certificate with the app. It's sort of hard coding the cert name, CA…