Android SSL Certificate Pinning

android.gifI have previously written about SSL and man in the middle (MITM) attacks and Banking Apps Leaking Information. A common theme is not properly checking SSL authenticity.

Secure (e.g. banking) apps can implement SSL Pinning that restricts what certificate(s) the app considers valid. This involves hard coding one or more specific certificate chains into the app. There’s a working Android library by moxie and example project by ikust. As an aside, as well as being more secure, this also allows you to use a self-signed SSL cert that costs nothing and avoids the considerable red tape associated with applying for a non-self-signed certificate.

Android also introduced system wide pinning in 4.2 but this isn’t suitable for most apps that need to support earlier Android versions.

You also need to be aware that it’s possible to bypass SSL Pinning (pdf). However, this requires the app to be reverse engineered, re-constructed and re-run that’s very unlikely to ever be possible ‘on the fly’ (at least on unlocked devices) as a random user gets hit by a MITM attack.