Certificate pinning in Android & iOS

Question

When we import SSL Certificate in our app, for certificate pinning we have to update apk/ipa every-year at the time of Certificate update.

Can we overcome this !

References : https://infinum.co/the-capsized-eight/articles/securing-mobile-banking-on-android-with-ssl-certificate-pinning

DRAWBACKS Less flexibility - when you do SSL certificate pinning, changing the SSL certificate is not that easy. For every SSL certificate change, you have to make an update to the app, push it to Google Play and hope the users will install it.

Please guide to overcome this.

Answer 1

Have a look at this article about certificate pinning and public key pinning: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

An important question is what you want to pin. If you don't want to release a new version every time the certificate changes you can also key to the public key of the certificate, since you can keep the same public key when you renew your certificate your app will still work with a new certificate.

Another option is not to pin to your server certificate but to the intermediate or the root certificate of the CA. The intermediate certificate is usually valid for a longer time.

Answer 2

There is no way to overcome this, but you can make this less painful:

• If you pin the anchor certificate (the CA), that certificate is not going to change often (every 5 or 10 years).
• Better than pinning the certificate itself, you should pin the key inside the certificate which doesn't change when you re-issue a certificate.
• Most pinning libraries (such as the one I worked on: https://github.com/datatheorem/TrustKit ) let you specify an expiration date for the pinning policy, so that in case you forget to update the IPA/APK, the App still works for your users (but with pinning disabled, which is still relatively secure).