As you might have guessed from previous posts on the topic, I’ve been researching certificate pinning implementations in mobile apps for the last couple of years.
Two months ago I presented a talk on certificate pinning at OWASP AppSecEU16 conference in Rome, Italy. The conference was pretty fun, met so many interesting people.
The official abstract:
Pinning Certificates (“Cert Pinning”) trends perennially, coming to the fore with each new SSL hack. Security urges developers to pin certs and many mobile apps do — some applying pinning to problems it doesn’t solve while others do so entirely unnecessarily. What risks does pinning really reduce? What should a developer consider prior to deciding to pin certs? Are there tradeoffs? Once decided, how should they do it?
Taking a perspective useful to both developers and penetration testers, this presentation covers these tradeoffs; from how organizational maturity impacts viability, to the risk reduction offered by the choices developers make about which elements of the certificate and chain to validate. The presentation will quickly recap the basics of certificates, their chains, and SSL validation.
Expect to leave understanding common misconceptions and key subtleties of pinning that may in fact /decrease/ security or impose undue complexity. Expect to understand common developer mistakes in pinning, for example in mobile WebViews. By the end of the presentation attendees will understand organizational and operational complexities, relevant design, and implementation-level detail.
A long paper on the same content is in the works, will hopefully publish more on the topic soon.