Skip to content

SSL Pinning

Introduction

SSL Pinning is a security technique that makes sure that a specific SSL/TLS certificate is always used for a website or application. It prevents attackers from using fake certificates to intercept and read encrypted traffic. It's commonly used in mobile apps to protect sensitive data.

How it works?

SSL Pinning works client-side and verifies the server certificate by comparing hashes of public keys that are pre-bundled with the mobile app.

By design, if there's a hash mismatch, calls to server actions stop working. If there's a hash mismatch, you must add a new hash list in the app, build a new version of the app, and distribute it to your users.

Implementation

Disclaimer

The following implementation is limited to Cordova applications only.

Cordova does not support true certificate pinning. The main barrier to this is a lack of native APIs in Android for intercepting SSL connections to perform the check of the server's certificate.

More information

To implement SSL pinning in hybrid apps, you can follow these general steps:

  1. Identify the SSL certificate used by the server.
  2. Integrate SSL pinning plugin for Cordova.
  3. Hard-coded the certificate's public key or hash to the app's code.
  4. Validate.

Additional Operations

These operations are required if you decide to implement SSL Pinning.

  • Identify current SSL certificate

    1. Open Google Chrome.
    2. Type your website URL in address bar.
    3. Open Developer Tools or hold the Ctrl+Shift+I, then go to Security tab.
    4. Tap View certificate button.
    5. Find SHA-256 Fingerprint.

  • Identify renewed SSL certificate

    1. Install openssl. 

    choco install openssl

    2. Get your new certificate in .crt format.
    3. Generate certificate fingerprint.

    openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate.crt]

  • Converting certificate (.pfx to .crt)

    1. Install openssl. 

    choco install openssl

    2. Extract .crt file from the .pfx certificate (password is required).

    openssl pkcs12 -in [certificate.pfx] -clcerts -nokeys -out [certificate.crt]

    3. Generate certificate fingerprint.

    openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate.crt]

  • Resubmit android app to Play Store

    No explanation needed.

Summary

  • Pros

    SSL pinning provides extra security against attackers who try to intercept encrypted traffic. It makes it harder for attackers to steal sensitive information and can also improve the performance and reliability of the application.

  • Cons

    SSL pinning will make it more difficult to manage SSL/TLS certificates. If a certificate needs to be changed, updated or renewed, the client application needs to be updated as well, which can cause inconvenience for users and make the maintenance process more complex.