Skip to main content

Use certificate pinning

Requirement#

Mobile applications should use certificate pinning to validate the endpoints. If a pinset is used, up to 2 certificates should be allowed.

Vulnerabilities#

References#

  • CAPEC-94: Man in the Middle Attack: This type of attack targets the communication between two components (typically client and server). The attacker places themself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never observed.

  • CWE-295: Improper Certificate Validation: The software does not validate, or incorrectly validates, a certificate.

  • CWE-297: Improper Validation of Certificate with Host Mismatch: The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.

  • CWE-300: Channel Accessible by Non-Endpoint: The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.