SSL Pinning : Should it be recommended

[Anant Shrivastava]

Hi Folks,

We always look at SSL / TLS Connection and everyone suggests do SSL Pinning. However with access to https://github.com/Fuzion24/JustTrustMe (Xposed Module)

https://github.com/nabla-c0d3/ssl-kill-switch2 (iOS) atleast for the two major players. 

Do you still think SSL Pinning is a solution?

Every implementation of SSL Pinning is trivially bypassable so far without even tampering with the application binary just via dynamic hooking. Can anyone suggest a implementation which is not bypassed. (specifically on iOS and Android)

-Anant

[Bao Le]

Fyi

---------- Forwarded message ----------
From: "Bao Le" <whiteha...@gmail.com>
Date: Jan 20, 2016 13:43
Subject: Re: SSL Pinning : Should it be recommended
To: "Anant Shrivastava" <an...@anantshri.info>
Cc:

Dear friend,

As your mention before, and my opinion, cert pinning is an addictional protection layer to mitigate the attacker to capture your app data. In my previous mail, i have noted 2 ways to implement cert pinning, and it also clearly posible to bypass. But try to thing another way we can make our HTTPS connection via Socket, it's also valid ssl cert on server side. By the way, it very hard to capture and replay the traffic

Take a look at Google Volley

--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.

[Anant Shrivastava]

Interesting, I admit i have not seem Volley before. Let me try and get a sample app using Volley with cert Pinning and see if i can play around with this.

Thanks for the tip Bao.

-Anant

[Bao Le]

Please inform me if you could modify the trafic, or just perform mitm to see whatever they did on the wire, at this time, as i have try my best, but i cant bypass this technique. Maybe it the best recommendation for now for cert pinning technique.

[Javi D R]

Cert pinning helps to improve the security but it can be bypassed using mitm+social engineering

If you generate a self signed certificate and make the victim to install it in the device, you can mitm that connection

Anyway, For me, cert pinning is a must in every development

[Anant Shrivastava]

@all, lets keep this thread about Guide. I will answer this in detail on the other thread.

[Anant Shrivastava]

Ah forget my last email. Got confused with threads.

@Javi, I beg to differ on that. What you are stating is cert validation which can be bypassed by mitm and adding cert in device. What we are talking about is cert pinning which counters the exact threat you stated. When you pin certificate you move trust from device certstore to your own cert store which is hardcoded in binary in form of whole chain or just the hashes of the chain.

I know we recommend and everyone should have it, but my main concern is this should not mislead people to believe that by cert pinning they are all secure.

[Javi D R]

Mm... Disagree

I agree with the final bit, as this is a must, but should not lead people to this that it will solve all the problems.

When you generate a ss certificate for a web application, and install it in your browser, you trust that certificate and can use it to do mitm

Same happens in mobile. I generate thst certificate and i trust it. Once it is done, this cert is perfectly valid.

I have done this in my device and can do mitm for every single app in my device (as the cert is valid for *)

I can prepare a tutorial and screenshoots to clarify it, but it works

[Anant Shrivastava]

Hi Javi, 

I suppose there is some disconnect would request you to go through following material before we do further discussion on this.

read more about pinning here : https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#What_Is_Pinning.3F

I have done a similar presentation here http://www.slideshare.net/anantshri/ssl-pinning-and-bypasses-android-and-ios

I suppose @bao talked about his sample app here https://github.com/whitehatpanda/VN-SecurityDay-2015 which could be used as a sample. The whole setup you have if it doesn't include's a pinning bypass tool like justtrustme or ssltrustkiller it will not be able to decrypt the traffic between the app using cert pinning.

I have the sample apk i used to demonstrate ssl pinning during the session have a look at this. even if you have a machine with cert added to trust store ssl connection will fail in MitM scenario.

Try this APK for example. Does nothing except trying to make a SSL connection to anantshri.info and if mitm it fails but install justtrustme and it will be bypassed and ssl connection established.

Hope this helps in understanding the discussion at hand.

-Anant

[Jim Manico]

Certificate pinning is a very old cryptographic technique, there is nothing new or special about it.

Please consider reading https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning to understand the threat model in play. Everything is bypassable. But pinning does prevent MITM interception that uses CA's private certificate to sign fraudulent TLS keys.

If most mobile standards, mobile apps are flagged as vulnerable if they do not do pinning because its fairly easy pin in the mobile world compare to web apps and similar.

- Jim

[jeroen.w...@stadshartkerk.nl]

Hi All,
I think that SSL pinning (both in the way OK-HTTP/Volley support it as well as using X.509) is just a control to add defense in depth. If you want to make eavesdropping harder: use public key crypto to exchange a symmetric session key and use payload encryption. We have done this many times and it shows to help a lot. Note that, if you want to do this properly, you might want to change public key every once in a while.
Please note that SSL-certificate pinning requires proper certificate management as well: if you know that you need to update your certificate, then you have to make sure that your app already contains the (Verifiers of) the new certificate.

With kind regards,
Jeroen

[Anant Shrivastava]

Thanks Jim and Jeroen for your thoughts on this.

This is exactly what i was looking for. I just wanted to ensure what we give out as a recommendation has statements clearly stating shortcomings of the solutions. 

@Jeroen,

It would be awesome if you can point to some reference implementation that will help us in tweaking the details accordingly.

I firmly believe the most important bit in reports / guides should be how to mitigate and what could be done. We can keep testing but if there is no way to fix then there is no point testing it.

Noted: merged the two response on same email below to keep a consistent thread of discussion.

-Anant

On Wed, Jan 20, 2016 at 2:31 PM, Jim Manico <jim.m...@owasp.org> wrote:

Certificate pinning is a very old cryptographic technique, there is nothing new or special about it. 

Please consider reading https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning to understand the threat model in play. Everything is bypassable. But pinning does prevent MITM interception that uses CA's private certificate to sign fraudulent TLS keys.

If most mobile standards, mobile apps are flagged as vulnerable if they do not do pinning because its fairly easy pin in the mobile world compare to web apps and similar.

- Jim

[Bao Le]

I thinl we have 2 scenario to discuss:
1. Using the HTTPS connection original (it means we directly make it via httpClient class supported in Java.
2. Using Volley plugin to make HTTPS, yes its fully Ssl, and tunnel it via socket connection. This way is more diff then the first one, you know that its running on diff layer of OSI model. At this layer, it hard to be modifier...

[Javi D R]

Hi

You are right. Certificate pinning doesnt allow mitm if it is properly implemented. It depends on how cert pinning is implemented. There is an interesting article on that

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/january/bypassing-openssl-certificate-pinning-in-ios-apps/

Thanks

[Raphael de Almeida]

Anant, 

Perhaps you can give me some light about a question I'm dealing with. How is it possible to bypass a cert pinning when using IBM Worklight Authenticity feature to prevent binary code modification from happening?

Thanks and best regards!!

Raphael Denipotti.

[Paco Hope]

Ah, certificate pinning.

Here’s an old saying I just made up: "Certificate pinning is for life, not just for Christmas.” The essence behind this saying is that you don’t just “do certificate pinning” once and call it a day. You’re volunteering some organisation for all sorts of PKI tasks (issuing certs, possibly running a CA, revoking certs, rotating certs, renewing certs, etc.) for the rest of the useful lifetime of that app. This is not like turning on httpOnly on your cookies. Running a PKI and doing the requisite activities around issuing, protecting, and managing the certificate-that-is-pinned is serious stuff. Many organisations will fail on procedural things. (Like checking the pinned certificate and its private key into github). Certificate pinning is hard.

Secondly you condemning the victim, er, uh, developer to “live la vida crypta”: Answer a few questions for the developer who you think needs to pin certificates:

• What kind of certificate do they pin? Self-signed CA? A public CA that is well known? Pin just the leaf cert for a specific app? This is not an easy question to answer and there are all sorts of trade-offs.
• Whose certificate validation code will they execute to validate the certificate that they pinned? Will they run the operating system’s certificate validation algorithms? Will them embed OpenSSL or PolarSSL or GodKnowsWhatSSL into their mobile app and invoke it? Will they write their own certificate validation routines from scratch? Do they have what it takes to get this right?
• Where will they store this certificate that they’re pinning? Will they store it in the operating system’s trust store? Will it be a file in the application area of the device’s file system? Will it be embedded in the binary? Depending on which way you do store the cert, you make it substantially easier or massively harder to pin a different cert in the future if there is ever a problem (e.g., private key compromise).

A bunch of organisations are WAY better qualified to do this than your average app developer (including Apple, Google, and OpenSSL). Every single one of them that has tried has had major screw ups in their implementations at various times. Which app developer will have a better success record than Apple, Google, and OpenSSL?

Am I arguing that you NEVER do certificate pinning? No, there are plenty of people who should. But the chances of you screwing it up and making your app MORE susceptible to man-in-the-middle, due to an implementation error, are sometimes higher than the chances that someone will do something interesting by man-in-the-middle attacking the app. It’s all cost/benefits. And the cost of cert pinning is HUGE, and the benefit is only high for a few situations that really face important challenges.

We have looked at so many cert pinning implementations and found so many screw-ups. Apps that had all sorts of ticking time bombs that were just waiting to blow up (e.g., when the cert expires, if the app can’t be updated because the user’s device is on an old version of the platform, etc.).

One simply cannot say “you don’t do cert pinning, therefore you must do cert pinning.”

Paco

[Daniel Miessler]

[Javi D R]

Great explanation

I would add another point. When the cert is updated in the server side, all the users need to upgrade the client app. For big companies, this could be a problem

[Jim Manico]

Since when did any of us get paid to do easy stuff? :)

Pinning is extremely challenging and can lead to DOS if you do it wrong. Very good points Paco. It's non trivial - at best.

But pinning is certainly something I think is worth investing in for high risk apps.

Aloha,
Jim

[Milan Singh Thakur]

Ryt Jim... We get paid for handling such risky tasks.

Paco just showed us the developer's side of hectic work involved in "certificate pinning".
But i guess it is worth for highly commercial apps (almost every mobile app wants to do a transaction).

Should we add it as suggestion or recommendation in the guide??
Sry developers, no hard feelings ;)

Just Pure Security.. !!

Regards
Milan

[Anant Shrivastava]

From how i look at it, I believe we should add it but we should be clearly conveying that this is deterrent and there are multiple caveat's attached to it. So that dev's are aware what they getting into and then once we have clarified we don't get backfire in case someone is able to bypass it.

BTW as a think group, we might want to spend our energies in trying to find solutions for such problems. By conceptualising, counter arguing each others ideas and comming up with something which could work amonst all entities.

--

[Bao Le]

I think the section “Certificate Pinning” should be included in Transport Layer Protection, and i also think it might helpful for banking, financial, or similar ones need to protect its data for transaction, including customer data.

Thanks & Best Regards!

Lê Quốc Bảo

Mobile: 0915840284

Skype: whitehatpanda

From: Milan Singh Thakur
Date: Thursday, January 21, 2016 at 13:19
To: Jim Manico
Cc: OWASP Mobile Top 10 Risks, Paco Hope, Javi D R
Subject: Re: SSL Pinning : Should it be recommended

--

[Javi D R]

Hi

Agree that should be added. People dont need to do everything that is in this guide.

 Depending on their app nature, they need to evaluate if this recommendation should be applied into their app, but has to be in the guide

[Milan Singh Thakur]

Ryt Javi...
Our job is to show multiple recommendations, but choosing em is to be decided based on application requirement.

[Jim Manico]

I think Paco is right to point this out. Pinning done right is VERY
difficult. If you do it wrong you can DOS your users, easily. Adding a
warning that this is a complex control seems reasonable to me.

- Jim

[Jason Axley]

Right, pinning must be done properly with proper operations involvement.  I had some devs who got "lack of cert pinning" on a pen test report wanting to ship out cert pinning that weekend.  I said, um, no - don't do that.  You need to think through the DoS possibility and how you're going to make sure the cert gets rolled.  Your load balancer operations team that terminates your SSL is often not the same as the web services operation team and neither of those are the dev team or QA so you need all of those peeps

At my former employer, I was looking into using HTTP Public Key Pinning (HPKP) as a means to communicate the pins in a standard way that would secure both web apps and mobile apps using the same server API with only one place to manage pinning information.  There's a lot more thought that has to go into a solution built around that idea, such as how to deal with the Trust On First Use problem of HPKP though (which you could deal with in several ways, such as shipping the pin in the app as well as allowing changes in the pins to be communicated via the headers subsequently) - and still need operational teams to be on board with who's responsible for updating the HPKP info whenever you change CAs or intermediates.  They were requesting that load balancer vendors support HPKP so that when you add a cert, it could auto-generate the headers for you and give you tools to manage it as part of normal BAU.  Has anyone thought about a system like this?  My goal had been to reduce operational complexity by reducing the # of teams involved and handoffs between teams that could be dropped/missed and result in expired certs getting renewed before the apps can update - as well as bringing pinning to the web as well as mobile apps.

-Jason

[Raphael de Almeida]

Jason,

You're totally right with this statement. The complexity of the process kills the easy implementation and I see a lot of companies having difficulties to understand the pinning and the load balancer ssl role in the process. Even though the process demands exacting and as it works on layer 5 of OSI Model I really don't see any alternative in other layer that can provide the security in cryptographic level. But once you have the public key I don't see any problem at all after the cert is issued. It'd have a problem with the communication regard to DoS only in the next update right?

I'm sorry if I'm mistaken but perhaps I don't understand the TOFU concept. I really thought it was used for human verification, I really don't see this in mobile implementation as someone accepting the connection with the server. Apologize for not understanding.

Thanks and best regards.

Raphael Denipotti