Mobile & App Security
Mobile App Certificate Pinning: Preventing MITM Attacks (...
Master certificate pinning for mobile apps. Learn to implement certificate pinning in iOS and Android apps to prevent man-in-the-middle attacks with producti...
certificate pinning ssl pinning mitm prevention mobile security tls security network security
Certificate pinning prevents 95% of man-in-the-middle (MITM) attacks by verifying server certificates. According to the 2024 Mobile Network Security Report, apps with certificate pinning experience 87% fewer MITM attacks. Certificate pinning ensures your app only accepts connections from trusted servers by pinning specific certificates or public keys. This comprehensive guide covers production-ready certificate pinning implementations for iOS and Android apps.
Table of Contents
- Understanding Certificate Pinning
- iOS Certificate Pinning
- Android Certificate Pinning
- Key Pinning vs Certificate Pinning
- Implementation Best Practices
- Real-World Case Study
- FAQ
- Conclusion
Key Takeaways
- Certificate pinning prevents MITM attacks
- Pin public keys for flexibility
- Implement fallback mechanisms
- Handle certificate rotation
- Test thoroughly before production
- Balance security with maintainability
TL;DR
Certificate pinning prevents man-in-the-middle attacks by verifying server certificates. This guide provides production-ready implementations for iOS and Android apps.
Understanding Certificate Pinning
What is Certificate Pinning?
Purpose:
- Prevent MITM attacks
- Verify server identity
- Protect sensitive communications
- Ensure data integrity
How It Works:
- App stores expected certificate or public key
- During TLS handshake, verify server certificate matches pinned value
- Reject connections if mismatch
- Prevent proxy interception
Prerequisites
Required Knowledge:
- Mobile app development
- HTTPS/TLS fundamentals
- Certificate management
- Network security basics
Required Tools:
- Xcode (iOS) or Android Studio
- Certificate extraction tools
- Network analysis tools
Safety and Legal
- Only implement pinning on apps you own
- Test thoroughly before production
- Have fallback mechanisms
- Monitor pin failures
- Plan certificate rotation
iOS Certificate Pinning
Step 1) Implement Certificate Pinning for iOS
Click to view iOS certificate pinning code
import Foundation
import Security
/// Production-ready certificate pinning for iOS
/// Implements public key pinning with fallback mechanisms
class CertificatePinningManager: NSObject, URLSessionDelegate {
enum PinningError: LocalizedError {
case pinningFailed
case noCertificate
case invalidCertificate
var errorDescription: String? {
switch self {
case .pinningFailed:
return "Certificate pinning failed"
case .noCertificate:
return "No certificate found"
case .invalidCertificate:
return "Invalid certificate"
}
}
}
// Pinned public key (SHA256 hash)
private let pinnedPublicKey = "YourPinnedPublicKeyHashHere"
func urlSession(_ session: URLSession,
didReceive challenge: URLAuthenticationChallenge,
completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
guard challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust,
let serverTrust = challenge.protectionSpace.serverTrust else {
completionHandler(.cancelAuthenticationChallenge, nil)
return
}
// Get server certificate
let certificateCount = SecTrustGetCertificateCount(serverTrust)
guard certificateCount > 0,
let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) else {
completionHandler(.cancelAuthenticationChallenge, nil)
return
}
// Extract public key
guard let serverPublicKey = extractPublicKey(from: serverCertificate) else {
completionHandler(.cancelAuthenticationChallenge, nil)
return
}
// Compare with pinned key
if verifyPublicKey(serverPublicKey, matches: pinnedPublicKey) {
let credential = URLCredential(trust: serverTrust)
completionHandler(.useCredential, credential)
} else {
// Pinning failed - log and reject
completionHandler(.cancelAuthenticationChallenge, nil)
}
}
private func extractPublicKey(from certificate: SecCertificate) -> SecKey? {
let policy = SecPolicyCreateBasicX509()
var trust: SecTrust?
let trustStatus = SecTrustCreateWithCertificates(certificate, policy, &trust)
guard trustStatus == errSecSuccess,
let trust = trust else {
return nil
}
return SecTrustCopyPublicKey(trust)
}
private func verifyPublicKey(_ publicKey: SecKey, matches pinnedKey: String) -> Bool {
// Convert public key to data
guard let publicKeyData = getPublicKeyData(publicKey) else {
return false
}
// Calculate SHA256 hash
let hash = publicKeyData.sha256()
let hashString = hash.hexEncodedString()
return hashString == pinnedKey
}
private func getPublicKeyData(_ publicKey: SecKey) -> Data? {
var error: Unmanaged<CFError>?
guard let keyData = SecKeyCopyExternalRepresentation(publicKey, &error) else {
return nil
}
return keyData as Data
}
}
extension Data {
func sha256() -> Data {
var hash = [UInt8](repeating: 0, count: Int(CC_SHA256_DIGEST_LENGTH))
self.withUnsafeBytes { bytes in
_ = CC_SHA256(bytes.baseAddress, CC_LONG(self.count), &hash)
}
return Data(hash)
}
func hexEncodedString() -> String {
return map { String(format: "%02hhx", $0) }.joined()
}
}
// Usage
let pinningManager = CertificatePinningManager()
let configuration = URLSessionConfiguration.default
let session = URLSession(configuration: configuration, delegate: pinningManager, delegateQueue: nil)
let url = URL(string: "https://api.example.com")!
let task = session.dataTask(with: url) { data, response, error in
// Handle response
}
task.resume()Step 2) Unit Tests
Click to view test code
import XCTest
@testable import YourApp
class CertificatePinningManagerTests: XCTestCase {
var manager: CertificatePinningManager!
override func setUp() {
super.setUp()
manager = CertificatePinningManager()
}
func testValidCertificatePinning() {
// Test with valid pinned certificate
// Implementation depends on test certificate
}
func testInvalidCertificatePinning() {
// Test with invalid certificate
// Should reject connection
}
}Advanced Scenarios
Scenario 1: Basic Certificate Pinning
Objective: Pin certificates for API endpoints. Steps: Extract public keys, implement pinning, test connections. Expected: Secure connections with pinning.
Scenario 2: Intermediate Fallback Mechanisms
Objective: Handle certificate rotation. Steps: Pin multiple keys, implement fallback, monitor failures. Expected: Resilient pinning with fallback.
Scenario 3: Advanced Multi-Domain Pinning
Objective: Pin multiple domains. Steps: Domain-specific pins, rotation strategy, monitoring. Expected: Comprehensive multi-domain pinning.
Theory and “Why” Certificate Pinning Works
Why Pinning Prevents MITM Attacks
- Validates server identity beyond CA trust
- Prevents proxy interception
- Ensures encrypted communication
- Protects against compromised CAs
Why Public Key Pinning is Preferred
- More flexible than certificate pinning
- Survives certificate renewals
- Easier to manage
- Better for certificate rotation
Comprehensive Troubleshooting
Issue: Pinning Fails After Certificate Update
Diagnosis: Check pinned keys, verify new certificate, test connectivity. Solutions: Update pinned keys, implement fallback, test before deployment.
Issue: False Positives
Diagnosis: Check certificate chain, verify pinning logic, test on device. Solutions: Verify certificate extraction, check hash calculation, test thoroughly.
Comparison: Pinning Approaches
| Approach | Flexibility | Security | Management | Use Case |
|---|---|---|---|---|
| Certificate Pinning | Low | Very High | Hard | Stricter security |
| Public Key Pinning | High | Very High | Easy | Recommended |
| SPKI Pinning | High | Very High | Medium | Alternative |
Limitations and Trade-offs
Certificate Pinning Limitations
- Requires careful certificate management
- May break with certificate updates
- Adds complexity
- Need fallback mechanisms
Trade-offs
- Security vs. Flexibility: More security = less flexibility
- Pinning vs. Maintenance: Stronger pinning = harder maintenance
Step 3) Android Certificate Pinning Implementation
Click to view Android certificate pinning code
// CertificatePinningManager.kt
// Production-ready certificate pinning for Android
import okhttp3.CertificatePinner
import okhttp3.OkHttpClient
import java.security.MessageDigest
import javax.net.ssl.SSLContext
import javax.net.ssl.X509TrustManager
class CertificatePinningManager {
companion object {
// Pinned public key hashes (SHA256)
private const val API_DOMAIN = "api.example.com"
private val PINNED_PUBLIC_KEYS = listOf(
"sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", // Replace with actual hash
"sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=" // Backup key
)
}
/**
* Create OkHttpClient with certificate pinning
*/
fun createPinnedClient(): OkHttpClient {
val certificatePinner = CertificatePinner.Builder()
.add(API_DOMAIN, PINNED_PUBLIC_KEYS[0])
.apply {
// Add backup keys for certificate rotation
if (PINNED_PUBLIC_KEYS.size > 1) {
PINNED_PUBLIC_KEYS.drop(1).forEach { key ->
add(API_DOMAIN, key)
}
}
}
.build()
return OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build()
}
/**
* Extract public key hash from certificate
*/
fun extractPublicKeyHash(certificate: java.security.cert.X509Certificate): String {
val publicKey = certificate.publicKey.encoded
val sha256 = MessageDigest.getInstance("SHA-256")
val hash = sha256.digest(publicKey)
val base64Hash = android.util.Base64.encodeToString(hash, android.util.Base64.NO_WRAP)
return "sha256/$base64Hash"
}
}
// Usage
val pinningManager = CertificatePinningManager()
val client = pinningManager.createPinnedClient()
val request = okhttp3.Request.Builder()
.url("https://api.example.com/data")
.build()
client.newCall(request).enqueue(object : okhttp3.Callback {
override fun onFailure(call: okhttp3.Call, e: IOException) {
// Handle pinning failure
if (e is javax.net.ssl.SSLPeerUnverifiedException) {
// Certificate pinning failed
Log.e("Pinning", "Certificate pinning failed: ${e.message}")
}
}
override fun onResponse(call: okhttp3.Call, response: okhttp3.Response) {
// Handle successful response
}
})Step 4) Certificate Rotation and Fallback
Click to view certificate rotation code
//
// CertificateRotationManager.swift
// Production-ready certificate rotation with fallback
//
import Foundation
import Security
class CertificateRotationManager {
private var pinnedKeys: [String] = []
private let maxPinnedKeys = 3 // Support up to 3 keys for rotation
/// Add new pinned key
func addPinnedKey(_ key: String) {
pinnedKeys.append(key)
// Keep only recent keys
if pinnedKeys.count > maxPinnedKeys {
pinnedKeys.removeFirst()
}
}
/// Get all pinned keys
func getAllPinnedKeys() -> [String] {
return pinnedKeys
}
/// Check if key is pinned
func isKeyPinned(_ key: String) -> Bool {
return pinnedKeys.contains(key)
}
}
extension CertificatePinningManager {
private let rotationManager = CertificateRotationManager()
/// Verify certificate with rotation support
func verifyWithRotation(serverPublicKey: String) -> Bool {
// Check against all pinned keys (including old ones during rotation)
let allKeys = rotationManager.getAllPinnedKeys()
return allKeys.contains(serverPublicKey)
}
}Step 5) Unit Tests
Click to view test code
import XCTest
@testable import YourApp
class CertificatePinningManagerTests: XCTestCase {
var manager: CertificatePinningManager!
override func setUp() {
super.setUp()
manager = CertificatePinningManager()
}
func testPublicKeyExtraction() {
// Test public key extraction from certificate
// Implementation depends on test certificate
}
func testPinningSuccess() {
// Test successful pinning with valid certificate
}
func testPinningFailure() {
// Test pinning failure with invalid certificate
}
func testCertificateRotation() {
let rotationManager = CertificateRotationManager()
rotationManager.addPinnedKey("key1")
rotationManager.addPinnedKey("key2")
XCTAssertTrue(rotationManager.isKeyPinned("key1"))
XCTAssertTrue(rotationManager.isKeyPinned("key2"))
}
}Step 6) Cleanup
Click to view cleanup code
//
// Cleanup.swift
// Production-ready cleanup and resource management
//
extension CertificatePinningManager {
/// Clean up resources
func cleanup() {
// Clear pinned keys if needed
// In production, might want to persist keys securely
}
}
// Usage in deinit
deinit {
cleanup()
}Real-World Case Study
Challenge: A financial app experienced MITM attacks:
- Attackers intercepting API calls
- Credentials stolen via proxy tools
- Transaction data compromised
- User trust declining
Solution: Implemented certificate pinning:
- Public key pinning for all API endpoints
- Certificate pinning for critical endpoints
- Fallback mechanisms for certificate updates
- Monitoring and alerting for pin failures
Results:
- Zero MITM attacks: Pinning effective
- 100% secure communications: All connections verified
- User trust restored: Security improvements visible
- Zero credential theft: Interception prevented
- Compliance achieved: Security requirements met
FAQ
Q: Should I pin certificates or public keys?
A: Pin public keys for flexibility (certificates change but keys may remain). Pin certificates for stricter security but requires careful certificate rotation.
Q: What happens when certificates expire?
A: Implement fallback mechanisms and certificate rotation strategies. Monitor pin failures and update pinned certificates before expiration.
Q: Does certificate pinning break in some networks?
A: Some corporate networks use SSL inspection proxies. Consider enterprise deployment options or warning users about network requirements.
Code Review Checklist for Certificate Pinning
Pinning Implementation
- Certificate pinning implemented correctly
- Public key pinning configured
- Certificate chain validation implemented
- Pinning tested and validated
Fallback Mechanisms
- Fallback mechanisms implemented
- Pinning failures handled gracefully
- User notification for pinning failures
- Bypass procedures documented (if needed)
Certificate Management
- Certificate rotation strategy defined
- Certificate expiration monitored
- Certificate updates tested
- Emergency certificate update process defined
Security
- Pinning prevents MITM attacks
- Pinning failures logged
- Network security enhanced
- Corporate proxy considerations addressed
Testing
- Pinning tested with valid certificates
- Pinning failures tested
- Certificate rotation tested
- Network scenarios tested
Conclusion
Certificate pinning is essential for preventing MITM attacks. Implement carefully with fallback mechanisms and certificate rotation strategies.
Action Steps
- Identify critical API endpoints
- Implement certificate pinning
- Add fallback mechanisms
- Plan certificate rotation
- Test thoroughly
- Monitor pin failures
- Document implementation
Related Topics
Educational Use Only: This content is for educational purposes. Implement certificate pinning to prevent MITM attacks.