Sergey Nivens - Fotolia

How can improper certificate pinning be stopped by the Spinner tool?

Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the Spinner tool.

Mobile banking apps on Android and iOS devices were found to be vulnerable to man-in-the-middle attacks. The vulnerability was possible because of issues in the apps' TLS implementations, according to security researchers. The researchers developed a tool in response to these flaws called the Spinner tool. How does the Spinner tool work, and should enterprises use it?

Transport Layer Security (TLS) is a cryptographic protocol that provides privacy and data integrity between two communicating computer applications, such as a web server and a browser or mobile app. While the protocol is deemed secure, its implementation often isn't.

Researchers at the School of Computer Science at the University of Birmingham found several Android and iOS mobile apps from leading banks and a popular VPN provider had failed to correctly implement certificate pinning -- a technology used to counter certificate spoofing by attackers using mis-issued or otherwise fraudulent certificates. This error could have enabled an attacker to conduct man-in-the-middle (MitM) attacks to steal customer credentials or view and manipulate online customer communications.

Certificate pinning, or HTTP Public Key Pinning, delivers, via an HTTP header, a set of pinned public key hashes -- not certificates -- to the browser or app -- clients -- that are hashes of the only keys trusted for connections to a given server.

When a client obtains the server's certificate, it can check the public key or keys in the server's certificate chain against the pinned set of public key hashes. If the server isn't using one or more of those public keys in its certificate chain, the client displays an error message, preventing the user from accessing what is, potentially, a malicious site. Of course, the client also needs to check that the hostname in the URL to which it's connecting actually matches the hostname in the digital certificate that the server sends back as part of the TLS connection.

Certificate hostname verification is a crucial stage in the establishment of a TLS connection. If it's not performed correctly, an attacker, sharing the same Wi-Fi network as their victim, can use the Address Resolution Protocol or domain name system spoofing to intercept the TLS handshake and provide the app with a valid certificate signed by a certificate linked to a different hostname than the host to which the app pins. It is relatively easy to detect if there is a lack of proper hostname verification during the TLS handshake, but the researchers found that, in instances where applications were using certificate pinning, it was a lot harder to verify.

To help developers check that they have implemented hostname verification and certificate pinning correctly, the researchers developed an open source tool called Spinner that doesn't require purchasing any certificates to work. It was this tool that the researchers used to analyze 400 security-sensitive Android and iPhone apps.

The results identified nine instances where an app's certificate pinning inadvertently masked improper hostname verification. Fifteen other applications that didn't practice certificate pinning were also flagged by Spinner either for failing to perform a hostname check or for issuing a self-signed certificate -- both poor practices. All the vulnerable apps uncovered by Spinner have now been patched.

Spinner works by analyzing the certificate chain of the requested domain and then querying Censys, a search engine that enables researchers to query hosts and networks on the internet in real time for sites that use the same certificate chain -- apart from the leaf certificate -- as the domain being analyzed.

Spinner then redirects the traffic from the app being tested to these websites. If the connection fails during the establishment phase, then the app has correctly detected the wrong hostname. However, if the connection is established and the encrypted application data is transferred by the client before the connection fails, then the app has failed to verify the hostname and is vulnerable to MitM attacks, even if it uses certificate pinning.

Proper certificate pinning is a highly effective countermeasure to MitM attacks, and developers should certainly use Spinner and other automated tools to test for a variety of TLS flaws and ensure that their app correctly implements all the requirements for a secure TLS connection, and that data is encrypted as expected. Otherwise, the chances are that confidential user data may be left exposed or open to attack.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Application and platform security