SSL Pinning

SSL Pinning, or Certificate Pinning, is a security technique used to ensure that the application establishes secure connections only with previously authorized servers by verifying the digital certificate or public key presented during the SSL/TLS handshake. This approach adds an extra layer of validation, independent of the operating system's certificate store, significantly reducing the risk of Man-in-the-Middle (MITM) attacks, even in scenarios where fake root certificates are installed on the device.

SSL pinning ensures that only the preconfigured cryptographic identity is accepted by the application, preventing interception, analysis, or modification of requests exchanged with the backend and protecting the confidentiality and integrity of transmitted data.

Technical Mechanism: Instead of relying exclusively on the operating system's certificate chain, MAD validates the certificate presented by the server by comparing it with one or more cryptographic pins embedded in the application. These pins correspond to predefined hashes stored securely, and the connection is considered valid only when there is a match with at least one of the configured values.

For configuring Public Key Pinning, this option defines the pinning rules for the specified domains. MAD supports two pinning methods, defined by the attribute type in the <pin> element a. Public Key Pinning (type="publicKey") This is the recommended and default method. In this mode, the hash of the certificate's Subject Public Key Info (SPKI) is pinned. This approach is more flexible, as it allows the certificate to expire and be renewed without requiring an application update, provided the same public/private key pair is retained.

To generate the public key pin:

            openssl s_client -servername example.com -connect example.com:443 < /dev/null | \
            openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | \
            openssl dgst -sha256 -binary | openssl enc -base64 

b. Certificate Pinning (type="certificate") In this method, the hash of the entire digital certificate is pinned. This is a more restrictive approach, since any change to the certificate, including simple renewals, will require an application update to avoid connection failures.

To generate the certificate pin:

            openssl s_client -servername example.com -connect example.com:443 < /dev/null | \
            openssl x509 -outform DER | openssl dgst -sha256 -binary | openssl enc -base64   

The certificate pinning configuration is performed via the application's XML. The mode of operation can be set to strict or permissive. In strict mode, the connection will be blocked if no valid pin matches. In permissive mode, pinning failures are only reported, making it suitable for testing or controlled environments.

Each host defines specific pinning rules for a given domain. Wildcards, such as *.example.com, can be used to cover subdomains. When multiple pins are configured for the same host, the connection will be considered valid if at least one of them matches, allowing secure certificate rotation strategies.

Configuration example:

<certificatePinning>

        <!-- Enables the certificate pinning functionality -->
        <enabled>false</enabled>
        
        <!--
        The mode can be 'strict' or 'permissive'.
        - 'strict': The connection will only succeed if at least one pin matches. This means that if
        the host is not configured or the pin does not match, the connection will fail.
        - 'permissive': Only configured hosts will apply certificate pinning.
        -->
<mode>permissive</mode> 

Note: Pin values must be provided in Base64, corresponding to the SHA-256 hash of the certificate or the public key.