ABSTRACT :
What is SSL pinning and why application developers use it?
The application developers use the SSL pinning technique as an additional security layer for application traffic, which can avoid man-in-the-middle attacks and further prevents attackers from analyzing the functionality of the app and the way it communicates with the server. SSL pinning enforces the client to only trust the valid or pre-defined server certificate or public key, which ensures that the user devices are communicating only to the dedicated trustful servers.
SSL pinning enforces the client to only trust the valid or pre-defined server certificate or public key, which ensures that the user devices are communicating only to the dedicated trustful servers
How does it work?
The developers embed (or pin) a list of trustful certificates to the client application during development and use them to compare against the server certificates during runtime. If there is a mismatch between the server and the local copy of certificates, the connection will simply be disrupted, and no further user data will be even sent to that server.
There are usually two ways we can achieve SSL Pinning in client applications. Pin either the whole certificate or its hashed public key
KEY CHALLENGES :
When the applications (Mobile app/APIs/web app) having SSL pinning enabled, it is difficult for customers to introduce any security solutions/in-path devices, which work on reverse proxy technology because of SSL termination.
As soon as any reverse proxy solution has been introduced between client and server, the SSL handshake getting established between application clients and reverse proxy solution, and the client will receive the SSL certificate which is installed at the reverse proxy solution, due to which the client rejects the connection considering untrusted server connection.
STRATEGY & RECOMMENDED SOLUTION :
The AppTrana cloud WAF will provide flexibility to configure the SSL settings, which can make customers SSL pinned applications fully compatible with AppTrana as below –
- To protect the applications (Mobile App/ APIs/Web apps, etc) which are enabled with SSL pinning, customers can choose/switch to a custom certificate on AppTrana WAF and upload their own SSL certificate which is embedded in the
client. This way customers do not require to make any changes on the application side and can activate the WAF protection for their SSL pinned applications using AppTrana. - If customers are choosing our free Let’s Encrypt certificate while onboarding on AppTrana, they would require to add the Let’s Encrypt certificate in the trusted certificate list of the SSL pinning configuration so that client can trust the certificate exchanged by the AppTrana and establish the connection.