SSL Pinning Maze: A Developer’s Journey to Secure Android Applications

Audience:

1. Android Developers [Including Cordova, Capacitor, React Native, and Flutter Developers]
2. Security Testers

Introduction:

In the ever-evolving landscape of cybersecurity, the importance of securing data transmissions within mobile applications cannot be overstated. Recently, my encounter with SSL pinning brought to light a critical vulnerability in my application, leaving it susceptible to Man-in-the-Middle (MITM) attacks. This blog recounts the challenges faced, the dead ends encountered, and the ultimate triumph in finding a reliable solution.

The wake-up call came from a group of vigilant penetration testers who flagged my application for potential MITM vulnerabilities. Upon closer inspection, it was evident that the connections were not being adequately verified, posing a serious threat to the integrity and confidentiality of the data being transmitted.

The Quest for a Solution:

Determined to fortify my application against these threats, I embarked on a journey to find a robust solution for SSL pinning. Unfortunately, my initial efforts proved fruitless, as existing solutions were either outdated or lacked active maintenance.

The Obsolete Plugin: I found a plugin named `sslcertificatechecker`, but to my dismay, it had not been updated in six long years. I decided to take matters into my own hands and modified the code to suit my needs. Despite sharing the updated build with the PT team, the checks could still be removed, rendering the application vulnerable.

Native Layer Defense: Realizing the limitations of a plugin-based approach, I shifted my focus to the native layer of the application. Even with protection against static analysis, the powerful tool Frida could detect and terminate the process, bypassing the fingerprint checks against the server.

Trials: The journey was marked by disappointments, as each attempt to secure the application fell short of providing foolproof protection. It became clear that a more robust solution was needed to counteract the persistence and ingenuity of potential attackers.

A Light at the End of the Tunnel: Finally, after relentless exploration and experimentation, I stumbled upon a prebuilt solution tailored for Android applications. This solution leveraged certificate pinning, a process where a set of certificates is provided by the hash of the public key, making the certificate chain valid only if it contains at least one of the pinned public keys.

Certificate Pinning Unveiled: Certificate pinning emerged as the panacea for my SSL pinning challenges. By implementing this technique, my application could now prevent MITM attacks by ensuring that the certificate chain matched the predefined set of trusted public keys.

SDK 24 and newer:

Generating the Hash from the extracted SSL Certificate:

openssl x509 -noout -pubkey -in cert_to_pin.crt | \
openssl pkey -pubin -outform der | \
openssl dgst -sha256 -binary | \
openssl enc -base64

Add network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <!-- Allow to communicate with all certificates in system -->
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
    <!-- Allow to communicate with the pinned certificates in my backend domain. -->
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">example.com</domain>
        <pin-set>
            <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
            <!-- backup pin -->
            <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin>
        </pin-set>
    </domain-config>
</network-security-config>

Conclusion: The journey to secure my application against SSL pinning vulnerabilities was filled with challenges, but the resolution ultimately came in the form of certificate pinning. As developers, the ever-changing landscape of cybersecurity demands continuous vigilance and adaptation. This experience serves as a reminder that proactive measures are essential to safeguarding sensitive data and maintaining the trust of users in an increasingly connected world.

Coming up next, we’ll explore the crucial topic of preventing hooking in applications. Discover the risks posed by hooking, understand the techniques employed by attackers, and learn effective strategies to fortify your app against this pervasive threat. Protecting your application goes beyond SSL pinning, and our upcoming blog will guide you through the steps to bolster your app’s defenses against the ever-present challenge of hooking.