2

I'm building an Android app and the client want me to do SSL Pinning to avoid any Mitm attacks. I've already implemented complete encryption and decryption on my API requests (JSON Format) and the corresponding responses (JSON Format).

By searching the web and reading a few blogs, my understanding of Mitm attacks is that the attacker can intercept the request, modify the data and send it to backend server and then alter the response and push it back to the client app with incorrect data. But since my request and response are completely encrypted (ciphering), is it still possible to carry out Mitm attacks on my app and alter the data?

I understand that the request still can be intercepted and the encrypted data is visible to attacker but since he don't have keys to decrypt so it's of no use and if the encrypted string is altered, the decryption will fail causing the app to not load any thing mimicking the behavior of Mitm where if the certificate keys mismatch, the connection is terminated.

And I found this solution here to implement SSL Pinning in android application with Volley library. Is it enough or should I implement some other methods?

halfer
  • 19,824
  • 17
  • 99
  • 186
Joe
  • 173
  • 1
  • 15
  • SSL using proper certificate validation is not vulnerable to MiTM attack. Pinning is another additional feature on the client side to further restrict the surface area for MiTM attacks. For many software platforms like Android, Java, Linux, Firefox, etc. a huge list of certificate authorities is presumed trusted. This is necessary because these platforms are global, and can't be seen to favor CA's in some country or region over another. However, you can be much more restrictive and only trust one, or perhaps a few CAs at most. This makes your software largely immune from the rogue CA. – President James K. Polk Aug 02 '21 at 03:41
  • 1
    You can "pin" any certificate you want, it can be a root CA cert, an intermediate CA cert, or even the web server cert. The problem with pinning a lower-level cert is that, when the cert expires and has to be renewed, you have to update your software to incorporate the new cert if they also change keys. This is a pain for users. Also, since your pinned certs are already trusted by you the contents of the cert is basically irrelevant, is just the public key that you are really trusting. So some variants of pinning only deal with the public key or a hash of the public key. – President James K. Polk Aug 02 '21 at 03:45
  • appreciate your time @PresidentJamesK.Polk , can you please tell me if the encryption/decryption of communication is enough as a second option if the pinning is bypass? – Joe Aug 02 '21 at 07:52
  • @Joe pinning is a different aspect from encryption altogether. With pinning your software should not send any data, encrypted or not, unless the endpoint it is connected to matches your specific pinning rules. It is a different thing from encrypting your payloads. I recommend implementing cert pinning as it is generally pretty easy in modern frameworks, and makes it more difficult for a potential attacker. – zaitsman Aug 05 '21 at 03:47

0 Answers0