A Comparative Analysis of Certificate Pinning in Android & iOS

Abstract

TLS certificate pinning is a security mechanism used by applications (apps) to protect their network traffic against malicious certificate authorities (CAs), in-path monitoring, and other TLS tampering. Pinning can provide enhanced security to defend against malicious third-party access to sensitive data in transit (e.g.,to protect sensitive banking and health care information), but can also hide an app’s personal data collection from users and auditors. Prior studies found pinning was rarely used in the Android ecosystem; however, little is known about recent pinning usage on iOS and across mobile platforms.

In this paper, we thoroughly investigate the use of certificate pinning on Android and iOS. We collect 5,079 unique apps from the two official app stores: 575 common apps, 1,000 popular apps each, and 1,000 randomly selected apps each. We develop novel, cross-platform, static and dynamic analysis techniques to detect certificate pinning, not only based on static configurations, but also its run-time use.

We find certificate pinning as much as 4 times more widely adopted than reported in prior studies. More specifically, we find that at least 0.9% to 8% of Android apps and 2.5% to 11% of iOS apps use certificate pinning (depending on the above groups of apps). We then investigate which categories of apps most frequently use pinning (apps in the “finance” category), which destinations are typically pinned (first-party destinations vs those used by third-party libraries), which certificates are pinned and how they are pinned (CA vs leaf certificates), and the connection security for pinned connections vs unpinned ones (e.g., the use of weak ciphers or improper certificate validation). Last, we investigate how many pinned connections are amenable to binary instrumentation for revealing the contents of their connections, and for those that are, we analyze the data sent in pinned connections to understand what is protected by pinning.