Secure Communication in Mobile Apps: Implementing SSL Pinning for Multiple Endpoints with Diverse Certificates/Public Keys

Introduction

Ensuring secure communication in mobile apps is of paramount importance, especially when dealing with multiple endpoints that have separate certificates or public keys. In scenarios where some endpoints are configured behind WAF or other content delivery networks, while others are directly configured on the data centre, implementing SSL pinning becomes crucial. This article explores the implementation of SSL pinning in mobile apps that communicate with N different endpoints, each having its own certificate or public key, and addresses the challenges and considerations involved in such scenarios.

MiTM Attack without SSL Pinning

→ Understanding SSL Pinning and its Significance

SSL pinning, also known as certificate pinning, adds an extra layer of security to mobile app communication by associating specific SSL certificates or public keys with the app’s trusted endpoints. By validating these pinned certificates or keys, the app ensures that it only establishes connections with authorized servers, mitigating the risk of attacks involving rogue or compromised certificates.

→ Handling Multiple Endpoints with Separate Certificates/Public Keys

Implementing SSL pinning for mobile apps communicating with N different endpoints that have diverse certificates or public keys requires careful consideration. The following steps can help navigate this complex scenario:

→Identifying Endpoint and Certificates/Keys: Identify the SSL certificates or public keys associated with each endpoint. These certificates can be obtained from the endpoint owners or trusted certificate authorities (CAs). In this example, let’s assume the mobile banking app communicates with three endpoints: Endpoint A, Endpoint B, and Endpoint C. Each endpoint has its own SSL certificate or public key.

• Endpoint A: Behind WAF, with a certificate issued by a trusted certificate authority (CA).
• Endpoint B: Directly configured on the data center, with a self-signed certificate.
• Endpoint C: Behind WAF, with a certificate issued by a different trusted CA.

→Pinning Configuration: Establish a pinning configuration that accommodates multiple certificates or keys. This configuration should include the necessary logic to validate each endpoint’s certificate or key during the SSL handshake process. To implement SSL pinning for above endpoints, the mobile app needs to associate each endpoint with its respective certificate or public key.

• For Endpoint A: The app configures SSL pinning to validate the certificate issued by the trusted CA associated with Endpoint A. It ensures that the app only establishes connections if the pinned certificate matches the one presented by the server behind WAF.
• For Endpoint B: The app configures SSL pinning to validate the self-signed certificate associated with Endpoint B. It establishes a secure connection only if the pinned public key matches the one presented by the server directly configured on the data center.
• For Endpoint C: Similar to Endpoint A, the app configures SSL pinning to validate the certificate issued by the trusted CA associated with Endpoint C. It verifies that the pinned certificate matches the one presented by the server behind WAF.

→ Certificate Chain Validation: If the endpoints behind WAF or other content delivery networks use intermediate certificates, ensure that the mobile app validates the entire certificate chain to establish trust and prevent unauthorized access.

→ Handling Certificate Updates: To handle certificate updates, the app should implement a mechanism that allows for seamless updates without disrupting the user experience. This can include periodically checking for certificate updates, caching the certificates, and implementing a process to update the pinned certificates when necessary. Here’s an elaboration on the mechanisms that can be implemented:

1. Periodic Certificate Update Checks
2. Certificate Caching
3. Certificate Expiry Handling
4. Secure Certificate Storage
5. Updating Pinned Certificates
6. Certificate Revocation Checks
7. Error Handling and User Notifications

SSL Pinning scenario after public certificate pinned

→ Dealing with WAF and Data Center Configurations

When some endpoints are behind WAF or other content delivery networks, while others are directly configured on the data center, additional considerations arise:

1. WAF Configuration: Understand how WAF handles SSL termination and certificate management. Ensure that the mobile app validates the WAF-issued certificates or keys during the SSL handshake, effectively pinning them.
2. Direct Data Center Configuration: For endpoints directly configured on the data center, the app can employ traditional SSL pinning techniques by associating the specific certificates or keys with these endpoints.
3. Certificate Transparency: Monitor the certificate transparency logs to detect any unauthorized or unexpected certificates associated with the endpoints. Regularly validate and update the pinned certificates or keys to maintain a secure connection.

→ Testing and Validation

Thorough testing is essential to validate the SSL pinning implementation for multiple endpoints with separate certificates or public keys. Perform comprehensive testing across different platforms, devices, and network conditions to ensure compatibility and security.

→Considerations and Challenges

Implementing SSL pinning for mobile apps communicating with diverse endpoints entails certain considerations and challenges:

1. Maintenance and Updates: Managing multiple certificates or keys requires ongoing maintenance and timely updates. Implement processes to handle certificate expiration, renewal, and revocation effectively.
2. Key Management: Securely manage the private keys associated with SSL pinning. Employ robust key management practices to prevent unauthorized access and protect against key compromise.
3. Usability and User Experience: Balancing security and usability is crucial. Implement SSL pinning in a way that minimizes any negative impact on app performance, responsiveness, and user experience.

Conclusion

Implementing SSL pinning in mobile apps that communicate with multiple endpoints, each having separate certificates or public keys, is vital for ensuring secure communication. By carefully configuring SSL pinning and addressing the challenges posed by WAF and data center configurations, mobile apps can establish trust with diverse endpoints and protect against unauthorized access and certificate-based attacks. Through rigorous testing, ongoing maintenance, and robust key management practices, mobile app developers can create a secure environment that prioritizes the confidentiality and integrity of user data.