There is no doubt, SSL Pinning is a very important security control. SSL Pinning helps ensuring the security of the communication and reduces the risk of man-in-the-middle attacks, in which, an attacker is able to intercept, decrypt and even tamper the communication between two nodes in the network. And whitelisting is done through the server’s certificate or it’s public key which is hardcoded into the application’s source code and validated before establishing a secure SSL/TLS communication channel. With SSL Pinning, an application will make sure to connect only to a set of whitelisted servers. However, one of the most important cases is to verify whether or not the application implements SSL Pinning to protect the communication. There are many security test cases, both static and dynamic, that you can run against a mobile application. SSL Pinning is a must for protecting the communication. In a black-box approach, the pentester is given nothing but a target and, in the case of Android mobile applications, that usually boils down to an apk file. If you are using a black-box approach for pentesting an Android application, you will need a reliable way to intercept and decrypt the traffic between the application and the server. SSL Pinning is one of the most important security controls for protecting the communication between the mobile client and the server, been able to bypass this control is an important to also evaluate the server the application is communicating with. As a pentester, you may come into the need of bypassing security controls to be able to provide a more significant evaluation.
0 Comments
Leave a Reply. |