Android Security: SSL Pinning vs Certificate Transparency
Everyone wishes to make an application which is secure and provide a feeling of safety and security to the user. But the question is how much effort we put in that process. It is completely impossible to make an application 100% secure. Our intention should always be to provide a more secure one which makes it hard for any hacker to break into.
There are hell lot of attacks possible on an Android app. Let’s focus on one such attack viz. Man-in-the-Middle (MitM) attack. Using HTTPS in the network layer alone cannot protect your communications to and fro with the server. An attacker can proxy the requests between your app and server if the Certificate Authority is compromised or by installing a self-signed certificate in the user’s device.
We can prevent MitM attack using SSL Pinning/Certificate Pinning/Pinning. SSL Pinning is the process of pinning the SSL Certificate of the required host from within the app. You can either pin a host using its certificate or public key. Whenever you make a call to the server, it will match the server’s SSL certificate or public key to the ones pinned in your app. It should match, so that your app will trust and establish a connection with the server.
I am not going to go further into the HOW_TOs and EXAMPLEs of SSL Pinning which is already available in abundance on the internet Eg: link. This article is all about giving introduction to the MitM attack, ways of preventing it and problems associated with it and the better one to choose from based on my experience.
Problems with SSL Pinning
One of the main drawbacks in employing SSL Pinning(certificate preloaded in the app) is that your app will bricked if the Certificate you’ve pinned changes, in case when the certificate expires or periodic certificate rotation or emergency certificate renewal due to a security breach. Even if you do not preload the certificate and rely on some over the air mechanism to fetch certificate on runtime, it comes with its own disadvantages.
If you hardcode the certificate or public key in the app, an attacker can reverse engineer and bypass the SSL Pinning. It can be made little bit difficult by doing code obfuscation. As I said, it just makes it a bit more harder for the hacker to bypass and not foolproof.
Overall the logic of validating the genuinity of the certificate is purely in the client end and it is always inviting for the hacker.
Certificate Transparency(CT) is a relatively newer concept which will fill most of the security holes left open by Certificate Pinning technique. CT provides an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, CT makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable Certificate Authority(CA). It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.
A system of public logs is created that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates.
You can get more context on what Certificate Transparency is from here
The log server returns the SCT (Signed Certificate Timestamp) when you submit a certificate. The clients verify the signature of SCT for CT validation. We can get the list of SCTs in three ways,
1 -> Embedding the SCT in the certificate as an X.509v3 extension. The CA generates pre-certificates and send to log server to create SCT and send via X.509v3 extension.
2 -> Send SCT with TLS handshake. This is done from your server.
3 -> Send SCT as OCSP(Online Certificate Status Protocol) extension through OCSP stapling. In this method when the client asks, the server makes OCSP request to the CA and get SCT and send to the client. This also needs server support.
Some of the libraries available to implement CT in your Android app are Conscrypt, certificate-transparency-java and certificate-transparency-android. The certificate-transparency-android library is android specific. It provides integration with network libraries like Retrofit, Volley, HttpURLConnection, OkHttp, ect and it is very easy to implement.
Certificate Transparency is more secure than SSL Pinning. But, it does not protect from rogue certificates that were publicly logged. Different business requirement asks for different technology. Select whichever approach suits your requirement based on the pros and cons.