The Rise of Certificate PinningToday, hackers can exploit the certificate trust model to intercept encrypted traffic. For example, malware can install fake root CA certificates on devices. Once the certificate is installed, the malware or a malicious proxy can eavesdrop on communications. In addition, hardware manufacturers can add forged certificates to their devices and certificate authorities (CAs) can issue fake certificates on behalf of underhanded organizations. Recent headlines indicate that the certificate trust model is broken.
How Certificate Pinning WorksBecause of these risks, many application owners are implementing certificate pinning to verify the identity of application servers. Certificate pinning prevents fraud and Man-in-the-Middle (MitM) attacks by validating that a server certificate matches the cert "pinned" to the application. Many popular mobile apps, including business and social media apps, use certificate pinning.
Security Black Holes Created by Certificate PinningWhile certificate pinning improves user privacy, it also exposes a gap in corporate defenses. This is because traditional security controls like firewalls cannot decrypt pinned SSL traffic. As a result, Data Loss Prevention (DLP) platforms cannot detect when employees share confidential data through mobile apps. Advanced Threat Protection (ATP) solutions cannot detect malware sent in mobile apps. The full spectrum of network security solutions lose visibility into cyber threats; certificate pinning creates a black hole in organizations' defenses. As more and more apps add certificate pinning, security-conscious organizations have to decide whether to block this data or let it through their firewalls uninspected. Many will undoubtedly choose to allow it but they will be opening themselves up for attack. Others, like the InfoSec team at the Fortune 500 company that I spoke to, will choose to block this traffic. On April 19, I will host a session at BSidesSF and I’ll propose an alternative way to inspect this traffic. In my session, "Stick a Pin in Certificate Pinning: How to Inspect Mobile Traffic and Stop Data Exfiltration," I will discuss how attackers can use certificate pinning to bypass security controls. I will also suggest creative ways to help InfoSec teams regain visibility into mobile apps that use certificate pinning. If you are in San Francisco, please be sure to attend.