TLS Certificate Pinning
      Back to home
      1. Approov Mobile Security Knowledge Base
      2. Mobile API Security
      3. TLS Certificate Pinning

      Why do we need Certificate Pinning?

      Why HTTPS is insufficient in providing confidentiality, integrity, and authenticity in the communication channel between a mobile app and the API server?

      While HTTPS provides confidentiality, integrity, and authenticity in the communication channel between a mobile app and the API server, certificate pinning helps protect these guarantees from being compromised.

      To Further Enhance Trust-Based Assumptions Security

      The issuance of unverified certificates by root and intermediate certificate authorities (CAs) could allow an attacker to intercept any TLS encrypted traffic to that domain if they are able to intercept the channel or spoof DNS to do so.

      This is possible because mobile devices come pre-installed with a trust store of root certificates. TLS connections are considered trusted if there is a chain of trust to one of those root CA certificates. This means that if any of the CAs are compromised or issue certificates incorrectly, then trust is broken and tainted, as seen in the famous cases of DigiNotar, GlobalSign, and Comodo. In other words, unpinned TLS security is only as strong as the weakest CA that is included in the device's trust store.

      To Further Enhance App Security Against Reverse Engineering

      An attacker can control both their network access and the device on which they install the app. If the app does not use pinning, then it is relatively easy to install an additional certificate into the system trust store of the device, allowing them to intercept API traffic using a proxy tool. This allows them to extract any app secrets (such as API keys) and the structure of the API calls from the channel and use it to build a script to impersonate the app. Even if the app code is obfuscated or hardened, this style of reverse engineering can still be used.

      Pinning can make this reverse engineering approach much more difficult, making it an important step in improving the security posture of the app. However, it is still possible to break pinning where an attacker controls a rooted or jailbroken device, as discussed in "Is It Possible to Bypass Certificate Pinning."