A secure connection between the mobile app and the server is one measure you can take to prevent third parties from stealing your sensitive data. When done correctly, all communication is encrypted and only the customer's mobile app and your server can decrypt the messages. This is done via Transport Layer Security(TLS) which is often still called after its predecessor Secure Sockets Layer (SSL).
TLS depends on certificates to accomplish the secure connection. When the mobile app initiates the communication, it needs to retrieve the certificate. The mobile app then verifies that the certificate is still valid as it is possible the certificates expired or were revoked. Using an invalid certificate is comparable to using an insecure connection: An attacker could potentially eavesdrop the communication between the mobile app and the server.
How does the mobile app know that the certificate is genuine? There are certificate authorities (CA) that issue the server certificates. The hosting company of your website can be a CA. These certificate authorities have their own certificate that the mobile app can validate. This is called the intermediate certificate.
Most of the time, there is another certificate authority that issues these intermediate certificates: the root CA's. The certificates of the root CA's are often shipped with the browser or the operating system.
The relation of the root certificate, intermediate certificate and server certificate is called a certificate chain. The chain can be longer than three links.
In 2019 the government of Kazakhstan has asked its people to manually install a root certificate. The government has abused the ignorance of the people to tell them that this root certificate is more secure while the real reason is that they want to control the usage of social networks.
Certificate pinning is a mitigation to prevent communication when the certificates from the certificate chain do not match the expected certificates. The expected certificates are bundled with the mobile app when it's being shipped to the App Store or Google Play.
The Onegini Mobile SDK will stop communication when it detects a mismatch in the certificates. This raises the level of security, but may result in usability issues.
Certificates expire and are then replaced by a newer certificate. This may result in the mobile app no longer working because it does not know this new certificate.
Which certificates should you pin on?
Let's take a look at the certificate chain of the Onegini website (August 2019):
- Root: Baltimore CyberTrust root
- valid from 12 May 2000, 18:46:00 GMT
- valid until 12 May 2025, 23:59:00 GMT
- Intermediate: CloudFlare Inc ECC CA-2
- valid from 14 October 2015, 12:00:00 GMT
- valid until 9 October 2020, 12:00:00 GMT
- Server: www.onegini.com
- valid from 18 October 2018, 00:00:00 GMT
- valid until 18 October 2019, 12:00:00 GMT
The root certificate has a very long validity. Pinning on only this certificate is handy when you release the app rarely and stay with the same registrar. Your users aren't asked to download a newer version of the app only because the server certificate will lose or has lost its validity. The downside is that the certificate is currently over 19 years old. The algorithms that were very strong in 2000 may not be strong enough in 2025.
The root CA is at the very beginning of the chain. We can trust it but it can be the root of many intermediate CA's. Each of those intermediate CA's can issue a certificate for our website.
The server certificate has a very short validity. At least once per year we create a new certificate with the most up to date algorithm. Pinning on this certificate raises the certainty that we're communicating with the intended server, because we have created this certificate. Using the server certificate does require that the users update the app before the certificate expires. It has to be available in the app stores in time because not every user will automatically update their apps.
There is a chance that you have to revoke the certificate before it expires. If you want your customers to keep using a secure connection, you should generate two certificates. One of them is installed on the server while the other is kept in a secure vault. Both are bundled with the app. When you revoke the installed certificate, you should replace it with the backup from the secure vault and your customers can keep using this version of the app until the backup expires.
Pinning on the intermediate certificate is a middle of the road solution: its validity is longer than the server certificate but much shorter than the root CA. You have registered your server certificate with this party so it's more certain that this is the right certificate than when you pin on the root certificate. However, you don't control the intermediate certificate. Intermediate certificates have been renamed in the past when the CA has been sold. Root CAs can revoke their trust in intermediate CAs. This will be announced, but you do need to take action when pinning on the intermediate certificate..
Certificate pinning increases the chance that the communication between the mobile app and the server is genuine. Which certificates you choose to pin on depends on the balance of security and usability. The most secure solution is to pin on all certificates in the chain while the most flexible is to pin on the root certificate only.