To pin or not to pin: SSL pinning for Android & iOS

hi everybody so I'm your William sir and today I want to talk to you guys about SSL pinning for Android and iOS so thank you all for having me ear I was just wondering before I get started we've used in active in a mobile field as a pen tester developer or a rich guy whatever okay who view is actually involved in a whole bidding process of those hands that were raised it's just a very few so apologies for all the others if I'm very boring just say so and we'll skip some stuff and let's just make this interactive as much as possible I have a lot of stuff so you'll see a few QR codes which you can

scan which points to a handout you can download that so for the guy at roses hand at the end that was interested in the pinning part you can then get all the technical details there so am i immune Widom sir i work for a beautiful company called CB a-- i'm called the security architect or security coach or whatever you want to call that I've been a developer for a very long time still AM because I think you should combine those things so it's mostly on helping teams to evolve their security in their software development lifecycle which kind of makes me an application security specialists or whatever you wanna make of that so pretty filled agenda here

first of all I will talk about well shoot you've been at all and if so where should you pin to don't want to have the obvious description of leaf versus root certificates well you should hard-coded or use HTTP the key pinning then we're going to talk a bit about more about the technical details for iOS and Android and then some basic verification and there's a handout which you can download at the be sites web site which basically gives all the technical details as well so you can actually use that so let's start with the beginning because obviously why should you pin well you have to start somewhere and it's of course because of CLS so everybody

understands what ITA's works right I don't have to explain all the details there if anyone doesn't raise your hand well that's good so basically when you do your handshake to get the public key where you can encrypt your symmetric key with to do the extra pay decryption you get a bunch of certificates offered so if you leave certificate which is signed by an intermediate or directly by a root CA or itself etc etc and now somebody wants to do many meddling there so basically he can't because he needs to have the private key of the leaf certificate or something else because what if you could compromise her root CA it's like the anotr everybody knows the story right or

what if just somebody makes awful mistakes over there which happens still a lot we'll talk about that a little bit later as little as possible actually or if somebody starts entering rogue certificates in the tryst or of your actual device obviously you don't need to have physical access for some morning there so that's a bit of an issue but the way easier ways just to trick users to installing it because you can run demos awesome app in your life only if you install this otherwise you pay 60 bucks or 10 depending on the platform because Android ian's well they don't pay that much money is the Apple used to do it on average so yeah you can get it

for free but you have to install this profile this certificate and everything will be fine about those mistakes so in I don't think if you can see it yeah an SSL made calm you can see a beautiful story of all the things that went wrong and things that will probably go wrong in the future so yeah there's reason to do pinning but before you're gonna wonder what you should do pinning the major question that I hardly see addressed is whether the organisation is mature enough wait would ya because technicalities I mean coding and stuff and putting some certificates somewhere and running open SSL to get some data that's not hard the hard part is making sure your certificate can stay

where it read set because the moment it's no longer daring your pinning to something that's no longer there your app stops working so that's actually the major question you should ask your clients first whether it's a bank or something else so basically takes proper certificate life cycling to do the pinning correctly if you make sure you have a proper certificate life cycle if you make sure if you do public key pinning like your public key remains there and you don't do anything else it might work but the NEP implementation so guiding an app developer to do its job right that's not the heart that's just here it is copy paste follow the recipes and go we'll still discuss some of those

recipes by the way just to make things easier so you can just offer them directly and the hardest part actually is protecting the private key belonging to the public key you're pinning to or the certificate you're pinning to if you can't protect that that you have to move along and the app is still putting to something that isn't secure what's the bigger risk right so I only been if you have something valuable to protect you don't trust the PKI infrastructure or how people are using it right now so well banks make sense social media makes sense games that want to prevent cheaters use micro sections again makes sense but just your regular angular conference app yeah yeah I don't think

it makes sense so if you're pinning and remember that pinning doesn't protect you against local attacks if a guy has his hands on your device or as access to the device pinning doesn't help it might frustrate him for just ten seconds and then it's gone so yeah that doesn't work so what you pin to so over here who doesn't recognize for this is who does see some right cool so this is a certificate obviously it can pin to the full certificate so you can either put it in a twist or and it makes sure that you're pinning to the fill thing or you can actually do Bible byte comparison I've seen that too or you just pin to the

fingerprint osowiec the key information or the thumb or directly to the public key itself or a hash of the public key and I've seen both over there as well and how does this how does it compare to one another so in terms of ease of installation in the old days if you just put the certificate in interest or it's way easier because you don't have to use specific libraries or specific code or whatever but later lately lost two years as PIR public key pinning has become equally easy there's a bunch of libraries that support that and an expiry is interesting because when your certificate expires and you have to put a new one there and obviously that bin

won't work but if you stop if you reuse the same public key for your next CSR so you have the same public key again you can continue which lead to different type of challenges so for instance if you're pinning to a CA you might have different well yeah different certificates for the given CA and you have to a bit more often but now all of a sudden if you start being too picky you have to ask yourself wait how long can I use this public key when should I really rotate because I'm in control now no longer the certificate lifecycle itself is the problem but I'm the problem now how much risk do we have when do we have to rotate and

how do we prepare for that so leaf versus root certificates so basically let's say this is your average speaking infrastructure with for every would see a there's not a tree basically and this is yours your domain and here's somebody who well get some intermediate syrup starts giving out certificates for perhaps your domain as well and how do you make sure that then nobody gets gets in there so if you're preparing to multiple root CAS or a single one obviously you're still in the same trouble because it's in the chain you're pinning to that you can't see that you are in trouble if you start pinning to give an intermediate certificate the text surface is already much smaller but

the problem is of course now that you're still not completely in control most of its intermediate certificates so there's issues there but the cool stuff is that you now can start pinning for multiple subdomains if you have multiple different leaf certificates for instance but if you pin to the exact key certificate where you want to work with then it's obvious the safe thing but now all of a sudden you have to do this for every domain where you have a separate certificate for so you can hard code it which basically means you just put it in your application say this is a specific the specific pin where I want to pin to and nothing else but the moment you

rotate your public key or any certificate it no longer works so you have a life cycle poem there yeah obviously you can pack away the future public key but this means that your organization needs to be ready to stock the other private key of the public/private key pair somewhere else and keep it safe and obviously I'm talking to security guys right now that think oh we can do that talk to developers they can but you'll have to teach them so yeah if you use eight people key pinning which is beautifully described in this RFC so basically you're sending a had your server since I had errors a bunch of details in there the most important

parts are the these two pins so that's basically the hash of es PGI and if it matches with the offered certificate then you're okay it's twist on first use tofu so it makes tofu if the user spins up the app the first time in a compromised environment then obviously you can interact with this and funny thing is if you have a mobile application then obviously the first time you started you're entering your registration information which is often the PII you're trying to protect so this is might be a bit spiffy but depending on how your app is using and risk is involved this is actually okay and of course you need to backup in so

how do you get the materials to pin I'm just gonna quickly go over this there's a bunch of OpenSSL come on so you can use and Daryl so on the handout you can copy them there or from the sides so painting an Android well the coolest thing is endured no gap you basically get a beautiful network security configuration it's some excel when you got your hash to put it in here which is basically the thumbprint and you're good it's this simple you can basically define for which domain you want to use it you include subdomains you can create a set of different domains to do this so it's all highly configured that only works by the

way if you have Android and running on your device all right cool because right now it's just this little part of the pie and then you have the rest of the world to figure out well if your app is only there for high-end juicers that have money for new phones me my bother but mostly when we create apps do you have to take the other phone in as well so how does that work before there's no gap basically you have to obtain it you have to Lotus difficut in key store basically the stuff I already talked about and they have a trestman is you get twisted and there you do fella date materials and you're good and then for

public key it mostly means that you have to create your own trust manager here is where many developers make many mistakes so let's not go but you can also do it differently oh yeah before you by the way do that you have to clean the chain because an attacker might offer a the many middle might offer a set of certificates where his rope certificate is in as well and so is the actual certificate that is pinned by the developer and instill it can use a drug certificate or it's public you from that to do the actual handshake even though you're finished yet this is fine so you have to clean up the chain first there was a lot of fears

about that I'll think two years ago by now so in Android API level 17 this has been fixed you can use x.509 interest many extensions but that's not a large part of the pide it's still half way which means that you have some issues obviously you can't use the OpenSSL library because in the latest version of android you can no longer do a lot of low-level hooks anymore so you really have to go with the flow of what androids offering you the cool part is you can actually do this relatively easy for many API levels using okay it's b3 so that's a pretty modern HTTP client for Android which is used a lot by developers luckily there's actually

recipe in there so we'll just go through it quickly basically initialize it first you connect you get a stack trace because obviously this is not the pin you're looking for and then you select the one you want to pin to so leave certificate or intermediate or root and there you have your painting tada this chip and then you update the pin Ernie already another alternative is Triscuit for Android so if you don't want to go all programmatically but you just want to have to lick smell from Android Noga then Triscuit friend oh I can do this for you basically you enable that and then you can just still use that excel and it will work the only important

thing is of course keep the library of the date if you're using ok to be three or Triscuit or whatever because the Ender platform changes and so does the library interaction with the platform if that's not configured correctly it might not work at all so that's a good thing to take into account so then iOS which is actually relatively easy so there's an ethereal connection where which has been used a lot and these methods are deprecated but still advised on many websites and since they're deprecated by Apple don't do it either in Swift or using the connection will send requests for challenge or an objective-c or using connection will send requests for authentication challenge and there you implement the

pinning don't try to use the deprecated methods because that will give you trouble so how do you do that then so first you look at their formats because that's what the libraries understand then you basically select a certificate you want to pin to using the that fur basically you don't have to do cleaning because that's what Apple does for you Thank You Apple and anyway wait server trusts and if everything is fine verify whether it's the same and move along or you can let this be done by a library which I would still recommend a bit you can use Alamo Fire where you can hire say ok pin for these certificates or pin for public keys which makes it

relatively easy because there you just put the stuff in and then you're fine the cool thing is it will just look for the certificates in bundle so you can just put your dere file or your cert file or whatever somewhere in the application bundle I just don't forget to make sure that it when it's included if you select the proper target to include this for because otherwise this doesn't work and they initialize then you're done oh yeah and there is a funny thing with Alamo Fire you have to disable applique app Transport Security because some of the hooks are overridden with a lot more fire is using so this should be a red flag to anybody that helps mobile

developers this might not be a good idea right now but I figured they're working on it all right hey if networking which is way cooler you get the public key story that's a surf file and then you initialize the operation manager like over here with a policy just make sure it's somewhere in your bundle same thing different day and then you move along and then there's another it's relative another Triscuit this is actually the iOS version of the same trust kit and get the pins you want to pin to I during the info.plist file which might not be the best idea a better idea is to put them in a configuration programmatically because that takes a

lot lesser problems to change those but that's a different topic by the way and will give a slight Pinner to that one they have your basic verification so basically it's all based on verb you set up burp you generate certificates for a given domain and install it on your device so just enter the domain name in the certificate generator for burping the proxy settings in and go below then proxy your device through burp and try to connect to this designated domain if you can then something went wrong and if so try to repeat the same process but then for any arbitrary hostname your certificate and if you still can then something definitely went wrong and if

not your basic verification is completed so that basically sums up all of that and there's lots more in for those who are interested in mobile space but I would invite you to go over here to most mobile security testing guide and a lot of people are working on that and I would really love you guys to help us there to collaborate to add more stuff to it to review stuff because in the end this is something that developers are using right now as well which speeds up the ecosystem quite well so that's it so some takeaways Ben if you really have to don't pin if you're not ready don't be if you don't have to resit your

risk that really needs this in depth control Ben only if you're mature enough select the node you want to pin to carefully think about that for a couple of seconds I would say prefer public key pinning over certificate pinning cause by now that lifecycle things should be pretty evident I guess don't just do it yourself please use a library and keep it updated and if you do it yourself it's fine but make sure your experience you know what you're doing and that you have some somebody who helps you to evaluate it and check the old mobile screen testing guys for your for details and feel free to correct or update it questions there's plenty of time left

for questions so that's good great talk by the way so a question about Iowa specifically I think it was iOS 8 or 9 where 80s came out and it crashed a whole bunch of apps because developers were looking at it and I can't connect anymore so do you see anything coming in say iOS 11 or 12 in the next versions that could be as disruptive specifically for this pinning issue that's hard to say because there's betas coming out where we can start evaluating stuff but you'll find out sometimes the hard way in the end there's I'm pretty sure stuff will happen because what Apple is trying to do is trying to create a secure ecosystem for app developers that don't

want to do these kind of things just make it work out of the box and then the real problem is mostly not necessarily the developers but it's the people that run our servers where they connect to that all of a sudden aren't aligned anymore in the latest and greatest guidelines for Apple how to configure your TLS configuration I think that's the major channel so it's more the server developers that have to be worried less than the platform developer so to speak and in that sense definitely so having an early beta and start testing it is really recommended not just for the app developer but also for the opposite or the developer takes control the server infrastructure

alright thank you welcome I regret look I have the only one question how do you prepare for a compromised keys that you pin to I heard people talking about a second spinning to a second certificate or public key how do you feel about it and how do you think it can best be implemented I think overall using public key pinning is the best way to go but that means that you have to have separate public keys ready so the actual challenge in pinning indeed is storing the secondary private key somewhere or the combinational things and make sure you deployed that correctly and not something else so you can have multiple public keys already stored in your app it's

a problem but the real challenge is always managing those private keys I think it's a great idea you should always do that because everybody hopes that the app will be updated correctly so that users will download the new version what they want even though the app is telling you you have to update me otherwise it won't work then first we'll start complaining in the Google Play Store it doesn't work because they haven't read the modificator notification because too much text in there or it's unclear to them because it's just impatient so in the end having those multiple public keys is the best thing you can do but really make sure you're mature enough to handle the

private keys there so with a growing number of both nation states but also corporations trying with you know the best of intentions to break SSL either at Network parameters or you know further down an ISP of stream cane this is obviously not going to work right you're going to lock some users out of your application if you insist and unpinning right if you use something like let's say trust kit or implement the trust manager in in Android you would have the flexibility to make this a modal choice right so you test against the certificate you're trying to pin and then you give the user a choice saying we can see that someone is actually trying to intercept your connection do

you want to trust this connection or not and then you know it kind of gives the user the alternative to continue or not is this something you have experience with or have some thoughts on we did try that because if okay HTTP you can of course have multiple clients one configure with pinning and one without and but customers will just click ok and and that was just a simple experiment for ourselves we offered it to a Pio of a team that we were working for and it was like like what did I just do and that was a security mind appeal so the idea is great but overall I think if you manage your public keys correctly or

infrastructure correctly the cut out of users won't be that much and but users aren't ready to make those decisions because all we educated them at least if that key is correct on your website you're fine and on apps your device is great everything is fine we won't understand think anyone else and if not thanks you for your session