Certification Pinning and Root Detection: Helpful but Not Unhackable

  • Home
  • Certification Pinning and Root Detection: Helpful but Not Unhackable
a pin and a tree
Pinning won’t keep away the storm on the horizon.

Introduction

As mobile app developers, we are constantly striving to create secure and reliable applications for our users. To achieve this, we often employ various security measures such as certificate pinning and root detection. While these practices undoubtedly enhance the security of a mobile app, it’s important to understand that no solution is ever completely hack-proof. In this blog post, we will discuss why certificate pinning and root detection are essential, but also explain why they ultimately only slow down attackers and do not guarantee absolute security.

Certificate Pinning: Strengthening Trust

Certificate pinning is the practice of associating a host with a specific certificate or public key. This ensures that the app only communicates with the intended server, even if an attacker manages to compromise a Certificate Authority (CA) and issue a fraudulent certificate for that server. By doing so, certificate pinning prevents man-in-the-middle (MITM) attacks, where attackers intercept and manipulate the communication between the app and the server.

However, as beneficial as certificate pinning is, it does not make your app immune to attacks. Determined hackers can still reverse-engineer your app to bypass or remove the certificate pinning mechanism, allowing them to intercept the communication using a fraudulent certificate. Although this process takes time and skill, it is not impossible.

Root Detection: Uncovering Hidden Threats

Root detection is another common security measure implemented in mobile apps to protect against unauthorized access and tampering. This mechanism checks if a device has been rooted (Android) or jailbroken (iOS), which could potentially expose the app to security risks. If the app detects a compromised device, it can refuse to run or limit its functionality, protecting sensitive information and services.

While root detection is a valuable security feature, it is not foolproof. Skilled attackers can circumvent root detection mechanisms by employing a variety of techniques, such as obfuscating the detection process or using root-hiding tools. Consequently, relying solely on root detection will not render your app unhackable.

The Reality: No App is Unhackable

Although certificate pinning and root detection significantly improve your app’s security, it’s crucial to recognize that no security measure is infallible. By implementing these mechanisms, you make it more challenging for attackers to compromise your app, but you do not make it invulnerable. Instead, you delay or slow down the attacker, buying you time to detect and respond to any security breach.

In the ever-evolving world of cybersecurity, adopting a defense-in-depth strategy is vital. This approach involves implementing multiple layers of security measures to protect your app and the sensitive information it processes. By doing so, you force attackers to overcome a series of obstacles, making it increasingly difficult for them to succeed.

How?

As mentioned above, “No App is Unhackable.” Attackers can simply purchase prerooted devices and run off the shelf tooling to bypass both certificate pinning and root detections in many cases. The following are several links to some of these tools used by malicious actors and security researchers. This is just a small sample – there are many more tools out there.

https://github.com/frida/frida

https://github.com/sensepost/objection

https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security

Conclusion

Certificate pinning and root detection are essential components of a robust mobile app security strategy. They help protect your app from various threats and contribute to a more secure user experience. However, it is important not to view them as a guarantee of absolute security. Instead, treat them as part of a larger, comprehensive security plan that includes regular security audits, code reviews, and up-to-date security practices. Remember that in cybersecurity, there is no such thing as an unhackable app – staying ahead of attackers requires constant vigilance and adaptation.

References and Further Reading

https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning

https://owasp.org/www-project-mobile-top-10/2014-risks/m10-lack-of-binary-protections