SSL/TLS pinning in 2022

[droidandy]

Hi,

I understand the default answer is probably;

Yes we recommend certificate pinning as a defence-in-depth measure. etc.

However... I'd like to start a discussion. Is there a benefit to doing this in 2022, when iOS and Android can detect rogue CAs. My understanding is that a successful attack would require a rogue root cert/profile to be installed. Either through clicking or physical access to a handset.

I wondered what peoples thoughts are is there any huge downsides on no longer employing this tactic on mobile apps?
Or convincing and compelling reasons why we should continue to enforce this?

Thanks

[cpholguera]

Thanks for posting @droidandy. This is the posture of the MASTG on this topic:

https://mas.owasp.org/MASTG/General/0x04f-Testing-Network-Communication/#restricting-trust-identity-pinning

Let's see what the community has to say on this. Currently we're keeping it as a defense-in- depth MASVS control for MASVS v2.

[commjoen]

As I understood it after some work on it:
Pinning is not only countering issues of when a rogue CAs being installed: it can be any sort of impersonation of a given domain.
However: using certificate transparency combined with device/app attestation(to catch an early tamper/rogue cert install) can help a lot to detect some of these problems. There are 2 cases where CT will not help and pinning might do:

• high risk internal apps using domains you don’t want to see popping up in certificate transparency logs.
• cases where the attacker has control over the CT query results

For these, if you do not have alternative controls and do not want to accept whatever risk of MiTM, you pay the price of app-unavailability in case a key or cert is no longer in sync (depending on the type of pinning used).