SSL Certificate Pinning
Mobile Security Misconfiguration (SSL Certificate Pinning)
Overview of the Vulnerability
Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. SSL pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy.
When SSL certificate pinning is misconfigured, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users.
Business Impact
This vulnerability can lead to reputational damage as customers may view the application as insecure.
Steps to Reproduce
Install the application on your mobile device
Route your mobile device's HTTP traffic through a proxy server and install/trust the proxy server's CA certificate
Execute the following payload:
{{payload}}
Open the application and observe that the HTTP traffic is routed through the proxy server, meaning the certificate pinning is misconfigured
Proof of Concept (PoC)
The screenshot below shows the mobile security misconfiguration:
{{screenshot}}
Recommendation(s)
It is recommended to securely implement SSL certificate pinning for the application.
It is also recommended that the mobile application’s security is managed through a repeatable configuration process which covers application hardening, updates, and patches. There should be a verification process through the development and delivery cycles which tests the effectiveness of the configurations and settings.
For further information, please refer to: https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html
Last updated