Article

To pin or not to pin helping app developers bullet proof their TLS connections

Authors:

Marten Oltrogge,

Sergej Dechand,

Sascha FahlAuthors Info & Claims

SEC'15: Proceedings of the 24th USENIX Conference on Security Symposium

Pages 239 - 254

Published: 12 August 2015 Publication History

Abstract

For increased security during TLS certificate validation, a common recommendation is to use a variation of pinning. Especially non-browser software developers are encouraged to limit the number of trusted certificates to a minimum, since the default CA-based approach is known to be vulnerable to serious security threats.

The decision for or against pinning is always a tradeoff between increasing security and keeping maintenance efforts at an acceptable level. In this paper, we present an extensive study on the applicability of pinning for non-browser software by analyzing 639,283 Android apps. Conservatively, we propose pinning as an appropriate strategy for 11,547 (1.8%) apps or for 45,247 TLS connections (4.25%) in our sample set. With a more optimistic classification of borderline cases, we propose pinning for consideration for 58,817 (9.1%) apps or for 140,020 (3.8%1) TLS connections. This weakens the assumption that pinning is a widely usable strategy for TLS security in non-browser software. However, in a nominalactual comparison, we find that only 45 apps actually implement pinning. We collected developer feedback from 45 respondents and learned that only a quarter of them grasp the concept of pinning, but still find pinning too complex to use. Based on their feedback, we built an easy-to-use web-application that supports developers in the decision process and guides them through the correct deployment of a pinning-protected TLS implementation.

References

[1]

API, A. Android TLS API. https://developer. android.com/training/articles/security-ssl.html.

[2]

Bates, A., Pletcher, J., Nichols, T., Hollembaek, B., Tian, D., Butler, K. R., and Alkhelaifi, A. Securing ssl certificate verification through dynamic linking. CCS '14, ACM, pp. 394-405.

Digital Library

[3]

Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and Polk, W. RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. https://datatracker. ietf.org/doc/rfc5280/?include_text=1, May 2008.

[4]

Desnos, A. Androguard. http://code.google.com/p/androguard/.

[5]

Evans, C., Palmer, C., and Sleevi, R. Public Key Pinning Extension for HTTP. http://tools.ietf.org/ html/draft-ietf-websec-key-pinning-21, Oct 2014. Internet-Draft.

[6]

Fahl, S., Dechand, S., Perl, H., Fischer, F., Smrcek, J., and Smith, M. Hey, nsa: Stay away from my market! future proofing app markets against powerful attackers. CCS '14, ACM, pp. 1143-1155.

Digital Library

[7]

Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., and Smith, M. Why Eve and Mallory Love Android: An Analysis of Android SSL (in)Security. CCS '12, ACM, pp. 50-61.

Digital Library

[8]

Fahl, S., Harbach, M., Perl, H., Koetter, M., and Smith, M. Rethinking SSL Development in an Appified World. CCS '13, ACM, pp. 49-60.

Digital Library

[9]

Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., and Shmatikov, V. The Most Dangerous Code in the World: Validating SSL Certificates in Nonbrowser Software. CCS '12, ACM, pp. 38-49.

Digital Library

[10]

Hoffman, P., and Schlyter, J. The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698 (proposed standard), IETF, 2012. http://tools.ietf.org/html/rfc6698.

[11]

Kranch, M., and Bonneau, J. Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning.

[12]

Laurie, B., Langley, A., and Kasper, E. RFC 6962 Certificate Transparency. http://tools.ietf.org/ html/rfc6962, June 2013.

[13]

Lu, L., Li, Z., Wu, Z., Lee, W., and Jiang, G. Chex: Statically vetting android apps for component hijacking vulnerabilities. CCS '12, ACM, pp. 229-240.

Digital Library

[14]

Marlinspike, M. Android Pinning. https://github. com/moxie0/AndroidPinning.

[15]

Marlinspike, M. TACK: Trust Assertions for Certificate Keys. http://tack.io/draft.html.

[16]

Marlinspike, M. SSL And The Future Of Authenticity. In BlackHat USA, 2011.

[17]

OWASP. OWASP Certificate Pinning Guide. https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning.

[18]

Perl, H., Fahl, S., and Smith, M. You Won't Be Needing These Any More: On Removing Unused Certificates From Trust Stores. In Financial Cryptography and Data Security 2014 (2014).

[19]

Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., and Vigna, G. Execute This! Analyzing Unsafe and Malicious Dynamic Code.

[20]

Rescorla, E. RFC 2818 HTTP Over TLS. http:// tools.ietf.org/html/rfc2818, May 2000.

[21]

Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., and Adams, C. RFC 6960 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. https://tools.ietf.org/html/rfc6960, June 2013.

[22]

Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., and Khan, L. SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps.

[23]

Tendulkar, V., and Enck, W. An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities.

[24]

Vallina-Rodriguez, N., Amann, J., Kreibich, C., Weaver, N., and Paxson, V. A tangled mass: The android root certificate stores. CoNEXT '14, ACM, pp. 141-148.

Digital Library

[25]

Weiser, M. Program Slicing. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING VOL. SE-10, NO. 4 (1984), 352-357.

Digital Library

[26]

Wendlandt, D., Andersen, D. G., and Perrig, A. Perspectives: Improving ssh-style host authentication with multi-path probing. ATC'08, USENIX Association, pp. 321-334.

Digital Library

Cited By

Shrestha ASharma TSaha PAhmed SAl-Ameen M(2023)A First Look into Software Security Practices in BangladeshACM Journal on Computing and Sustainable Societies10.1145/36163831:1(1-24)Online publication date: 22-Sep-2023
https://dl.acm.org/doi/10.1145/3616383
Danilova ANaiakshina ARasgauski ASmith MChiasson S(2021)Code reviewing as methodology for online security studies with developersProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563593(397-416)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.5555/3563572.3563593
Distler VFassl MHabib HKrombholz KLenzini GLallemand CCranor LKoenig V(2021)A Systematic Literature Review of Empirical Methods and Risk Representation in Usable Privacy and Security ResearchACM Transactions on Computer-Human Interaction10.1145/346984528:6(1-50)Online publication date: 23-Dec-2021
https://dl.acm.org/doi/10.1145/3469845
Show More Cited By

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Pin Accessibility-Driven Detailed Placement Refinement
ISPD '17: Proceedings of the 2017 ACM on International Symposium on Physical Design

The significantly increased number of routing design rules at sub-20nm nodes has made pin access one of the most critical challenges in detailed routing. Resolving pin access issues in detailed routing stage may be too late due to the fixed pin ...
Bus-pin-aware bus-driven floorplanning
GLSVLSI '10: Proceedings of the 20th symposium on Great lakes symposium on VLSI

As the number of buses increase substantially in multi-core SoC designs, the bus planning problem has become the dominant factor in determining the performance and power consumption of SoC designs. To cope with the bus planning problem, it is desirable ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'15: Proceedings of the 24th USENIX Conference on Security Symposium

August 2015

1072 pages

ISBN:9781931971232

Editor:
Jaeyeon Jung
Microsoft Research

Sponsors

USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 12 August 2015

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shrestha ASharma TSaha PAhmed SAl-Ameen M(2023)A First Look into Software Security Practices in BangladeshACM Journal on Computing and Sustainable Societies10.1145/36163831:1(1-24)Online publication date: 22-Sep-2023
https://dl.acm.org/doi/10.1145/3616383
Danilova ANaiakshina ARasgauski ASmith MChiasson S(2021)Code reviewing as methodology for online security studies with developersProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563593(397-416)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.5555/3563572.3563593
Distler VFassl MHabib HKrombholz KLenzini GLallemand CCranor LKoenig V(2021)A Systematic Literature Review of Empirical Methods and Risk Representation in Usable Privacy and Security ResearchACM Transactions on Computer-Human Interaction10.1145/346984528:6(1-50)Online publication date: 23-Dec-2021
https://dl.acm.org/doi/10.1145/3469845
Wan ZXia XLo DChen JLuo XYang X(2021)Smart Contract SecurityProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00127(1410-1422)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00127
Danilova ANaiakshina AHorstmann SSmith M(2021)Do you really code?Proceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00057(537-548)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00057
Li FRogers LMathur AMalkin NChetty M(2019)Keepers of the machinesProceedings of the Fifteenth USENIX Conference on Usable Privacy and Security10.5555/3361476.3361496(273-288)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.5555/3361476.3361496
Fischer FXiao HKao CStachelscheid YJohnson BRazar DFawkesley PBuckley NBöttinger KMuntean PGrossklags JHeninger NTraynor P(2019)Stack overflow considered helpful! deep learning security nudges towards stronger cryptographyProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361362(339-356)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361362
Hamm PHarborth DPape S(2019)A Systematic Analysis of User Evaluations in Security ResearchProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340339(1-7)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340339
Oliveira DLin TRahman MAkefirad REllis DPerez EBobhate RDeLong LCappos JBrun YEbner N(2018)API blindspotsProceedings of the Fourteenth USENIX Conference on Usable Privacy and Security10.5555/3291228.3291253(315-328)Online publication date: 12-Aug-2018
https://dl.acm.org/doi/10.5555/3291228.3291253
Wermke DHuaman NAcar YReaves BTraynor PFahl S(2018)A Large Scale Investigation of Obfuscation Use in Google PlayProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274726(222-235)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274726
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents