SSL Certificate Validation and Pinning on Mobile App: Pharmers Hate It

By |2019-01-21T15:41:14+00:00September 21st, 2016|


Security tips for mobile application developers

Like screenplay writers at Starbucks, SSL is everywhere. You would hope that SSL certificate validation and pinning would be everywhere too. Unfortunately, that’s not yet the case and a lack of SSL certificate validation and pinning weakens the usefulness of a certificate in establishing trust. Pharming unfortunately is also very common and attackers using pharming count on these weaknesses.

What is mobile pharming

Pharming works by redirecting a user’s web traffic to a fake, malicious website. It does not require tricking a user. It only requires getting a user on a traditional or mobile device to a fake site. For example, instead of my bank resolving to x.x.x.1, my bank now resolves to x.x.x.2 which is really the attacker’s fake bank site made up to look like my bank’s site.

There are some pretty creative ways for pharming to work such as DNS Spoofing also called Cache Poisoning. Jeremy Kirk wrote a piece for Computerworld on pharming attack that leveraged a router flaw: Hackers exploit router flaws in unusual pharming attack. Regardless of the pharming method, once the user connects to the malicious site, the attacker attempts to harvest sensitive information.

What is SSL certificate validation and pinning

SSL certificate validation helps to ensure that the SSL certificate files that link details about an organization with a cryptographic key are valid. SSL certificate validation helps ensure your app is using an authentic certificate. It can further go on to pin or link a host to a certificate on your app so that a mismatch, such as in the case of a pharming attack, will generate an alert.

SSL Certificate validation and pinning can be used together to combat mobile pharming by determining “yes” the certificate is authentic and “yes” the expected host is the host that’s connected. If it doesn’t match, the app should alert the user. For a deeper dive on certificates and certificate pinning, check out this video by Marty Burolla on #AskADev.

How does Appdome help prevent pharming with SSL certificate validation and pinning?

When you choose to add certificate validation to your app on Appdome, your app’s SSL certificates are validated to ensure they are authentic every time a user fires up your app. If the certificate validation fails, e.g. because of a fraudulent certificate, the user will be alerted on the mobile device.

On Appdome, you can also add certificate pinning to any app for additional protection. This is the process of linking a host to a specific certificate or a CA (Certificate Authority). Even if a specific host is whitelisted (which I’ve blogged about previously and you can read here ») pinning helps to ensure that that destination matches the originally pinned certificate your app expects.

In the case of pharming that is enabled through DNS spoofing, your fused app will detect inconsistencies. This is because the pharming site is fake and is not the legitimate site pinned to the certificate. The app will then alert the user. This is also useful for attacks where sessions terminate on a malicious proxy or experience a man in the middle (MiTM) attack. I’ll cover these topics in future blogs.

Appdome offers free mobile app security. The security suite includes advanced features, like Anti-tamperingcode obfuscation and more.

Thanks for reading! This blog is part of a series focused on security tips for mobile application developers. While it’s not intended to be an exhaustive analysis of security issues or Fusion, it’s my intent to use this blog series as a platform to help mobile application developers become more security-aware. I hope you found this information useful. Happy fusing!

About the Author:

Scroll Up