With the rise of mobile banking apps, users can now enjoy banking services from the comfort of their Android devices. However, the prevalence of Man-In-The-Middle (MITM) attacks pose a serious security threat to mobile banking users. For example, cyber thugs can steal their banking details in between their servers and browsers. Such attacks can lead to the loss of their money since hackers can access their passwords and empty their bank accounts. Therefore, it becomes necessary for mobile app developers and the banking systems that use them to take precautionary measures to safeguard their customers. One way of doing that is using SSL certificates.
However, the rise of fraudulent CAs issuing compromised SSL certificates raises the bar for security, and hence, necessitating SSL certificate pinning. In the remaining sections of this post, I will reveal more details about this solution to mobile banking security. I will disclose what it is, how to implement it, and its pros and limitations. So, remain on board so you don’t miss anything.
- Understanding SSL Pinning
Before proceeding, I would like us to define SSL certificate pinning. In short, SSL certificate pinning, or public key pinning, is a framework that reduces overdependence on third parties when making security decisions that affect identities. Also, it independently defines a legitimate and valid encryption key. This ensures that the user can check the server’s certificate to ensure that it has a genuine chain that matches the host name they request.
SSL certificate pinning ensures that an Android app ignores its device’s trusted store and depends on itself. This, in turn, allows only SSL connections to hosts that are signed in with SSL certificates stored inside the app. This ensures that users don’t install unsafe certificates that could open a door for MITM attacks.
- Pros
So, what are the advantages of SSL certificate pinning? Here are the two main ones:
- Enhanced security
By pinning SSL certificates, you allow an Android banking app to act independent of its device’s trusted store. This way, it becomes difficult to compromise the coded trust store because it would require a complete decompiling, changing, and recompiling of the app. This means that it will be necessary to sign in using a different Android keystroke the app’s developer used initially.
- Cost reduction
Cost reduction is another SSL pinning benefit because it enables you to utilize credible self-signed certificates. This way, you can pin the certificate in your Android application, thus eliminating the need for buying new SSL certificates.
- Limitations
Besides the benefits we have examined above, pinning SSL certificates is also limited. Here is its limitation:
- It’s cumbersome to change SSL certificates
By pinning an Android app, it becomes hard to change the SSL certificate. The reason is that you will need to update an Android application and resend it to Google Play for your customers to reinstall it.
- Three Ways of Implementing SSL Pinning on Android
In this section of our discussion, I will discuss three main ways of implementing certificate pinning on Android apps. Here are the three main ways of doing it:
- TrustManager
TrustManager is the first method of implementing it on Android. But what is TrustManager? It is a component that decides whether an application needs to accept the credentials a peer submits or not. You can source it from the javax.net.ssl.
- OkHttp and CertificatePinner
This solution is another way of implementing certificate pinning for Android and Java. This method is easy to use because it only requires users to create an instance of CertificatePinner using dedicated builders with corresponding fingerprints.
- Network Security Configuration (NSC)
Lastly, you can implement the pinning process using this platform. The NSC offers users a fresh and easy way of handling network configuration. cc. With it, users can use XML files to declare communication methods such as certificate pinning.
- Pinning SSL Certificates
This last section of our discussion focuses on developers. Here, I will disclose the three main certificates a developer needs to have in mind because the certificates they choose impact the scope of security they will attain. Here they are:
- Leaf certificate>
By pinning against a leaf certificate, you have a 100 percent guarantee that it is your certificate, and hence, you validate your chain. However, these certificates have shorter expiry times. This means that if a need to re-issue SSL certificates arises because of a compromise in their private key, you will need to update your app. Otherwise, the app will remain blocked until you update it.
- Intermediate certificate
When you pin against an intermediate certificate, you trust that its CA will not issue a certificate you use on your server fraudulently or wrongly. But why is this beneficial? It is advantageous because if you intend to keep your SSL certificate supplier, you will not need to update your application even if you changed your leaf certificates.
- Root certificate
Lastly, you can pin against your root certificate. This way, you will be voicing your support for your CA and its intermediaries, meaning, you don’t expect them to issue your certificates wrongly. When pinning, we recommend you pin against several levels instead of one certificate in the chain. This way, you will reduce the possibilities of blocking your application at the expense of confiding in several CAs.
Closing Remarks
Even though the use of Android apps for banking transactions has enhanced how people access banking services, it still exposes them to real threats. For example, MITM attacks are some of the threats that could compromise user safety and even lead to the loss of their hard-earned money. However, pinning SSL certificates for Android banking apps is one way of sealing the security loopholes that face modern users. In this post, I shared valuable information that defined certificate pinning, disclosed its benefits, revealed its limitations, and explored how best to implement it. I hope the information has opened your eyes to see how this solution can secure your users.