2

Talking with people, it is frequently considered that having a mobile application without certificate pinning is a vulnerability. But I rarely see people mentioning it for web applications.

The question is, why is this issue only mentioned for mobile apps? Is there a higher risk derived out of this vulnerability on mobile apps?

Thinking about it, considering that the degree of difficulty is about the same for installing a rogue certificate on both pc and mobile, I would say that the vulnerability should exist in both cases, but in the case of web apps, there would be no remediation action since the hpkp which I think is the only way to achieve cert pinning is becoming obsolete.

Now none of the people I've talked with could give some reasonable explanations, so that's why I wanted to see if there is indeed any good justification for the mobile cert pinning.

UndercoverDog
  • 981
  • 7
  • 24
tturbox
  • 141
  • 1
  • 4
  • I'll be honest, whenever a mobile application does certificate pinning, I am not deterred, just annoyed. –  Mar 19 '20 at 22:44

2 Answers2

1

Cert pinning is a solid tool to prevent MitM attacks. There's currently no functionality to implement it in browsers, though. it was tried with the HPKP header but due to its complexity, it was very easy to get the implementation wrong, DoSing your own site. It was also possible for hackers to maliciously implement HPKP "for you" and hold access to ransom. Basically, Cert pinning on the web was determined to have too many drawbacks compared to the relatively small (though useful) amount of extra protection it can provide. Browsers have actively removed, not just disabled support for it.

In mobile apps, cert pinning is still possible and recommended. Realistically, it has the same potential issues but there are better protections in place generally. It's still possible to get it wrong by accident, however, with proper testing regimes, this should be caught before a build is published. Hackers would also have to gain access to the development environment to ransom access. Finally, unless you're updating the app within the app, a botched cert pinning issue can always be fixed by getting the user to update to a fixed version via the platform's app store, making any issues much easier to fix than they are on the web.

TL;DR: Cert pinning is good but easy to screw up. Mobile apps have more protection against screwups and are much easier to fix. Browsers also no longer support cert pinning, for everyone's protection.

ShadowCrypt
  • 51
  • 3
0

TL,DR: The protection of certificate pining is the same: almost none.

The risk is essentially the same, and Certificate Pining is not something that will deter any determined attacker. As soon as part of the code is not executed inside your own environment, you have no control whatsoever. Just look at all blockbuster games and their protections, and the myriad of cheating tools bypassing every single protection: anti-debugging, certificate pining, checksumming, and everything else.

In case of web applications, pining is mostly pointless because the attacker will have the entire source code readily available all the time, and every browser ships with a full fledged debugging environment. In this scenario, certificate pining will be defeated with a well placed breakpoint and a variable change.

On a mobile application, the path is a little longer. The attacker will usually need a rooted or jailbroken phone, and will change the application to use another certificate, or to bypass the check. Either way, isn't nothing a dedicated attacker would have any difficulty doing.

ThoriumBR
  • 53,925
  • 13
  • 135
  • 152
  • I thought the purpose of certificate pinning was to mitigate a MITM attack, which does not require a compromised endpoint. – John Wu Sep 03 '22 at 06:47