SSL Pinning is not a new concept, even then most mobile developers secure their apps by pinning their SSL certificates, only after they get a attack from unknown hacker.
What is certificate pinning?
Steps
What is certificate pinning?
By default, when making an SSL connection, the client checks that the server’s certificate:
- has a verifiable chain of trust back to a trusted (root) certificate
- matches the requested hostname
What it doesn't do is check if the certificate in question is a specific certificate, namely the one you know your server is using.
Relying on matching certificates between the device's trust store and the remote server opens up a security hole. The device’s trust store can easily be compromised - the user can install unsafe certificates, thus allowing potential man-in-the-middle attacks.
Certificate pinning is the solution to this problem. It means hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application.
This also gives a possibility of trusting a host with a self-signed certificate without the need to install additional certificates on the device.
Steps
There are three important steps in the process:
- obtain a certificate for the desired host (preferably the whole certificate chain)
- make sure the certificate is in .bks format - this step is crucial in order for pinning to work properly across all devices
- use Apache HTTP client shipped with Android - initialize it to use the obtained .bks keystore for SSL connections
- A fully functioning example that demonstrates the solution that we're using can be found here.