To Pin or Not to Pin—Helping App Developers Bullet Proof Their TLS Connections
M. Oltrogge, Y. Acar, S. Dechand, M. Smith, und S. Fahl. 24th USENIX Security Symposium (USENIX Security 15), Seite 239-254. Washington, D.C., USENIX Association, (August 2015)
Zusammenfassung
For increased security during TLS certificate validation, a common recommendation is to use a variation of pinning. Especially non-browser software developers are encouraged to limit the number of trusted certificates to a minimum, since the default CA-based approach is known to be vulnerable to serious security threats.
The decision for or against pinning is always a tradeoff between increasing security and keeping maintenance efforts at an acceptable level. In this paper, we present an extensive study on the applicability of pinning for non-browser software by analyzing 639,283 Android apps. Conservatively, we propose pinning as an appropriate strategy for 11,547 (1.8%) apps or for 45,247 TLS connections (4.25%) in our sample set. With a more optimistic classification of borderline cases, we propose pinning for consideration for 58,817 (9.1%) apps or for 140,020 (3.8%1) TLS connections. This weakens the assumption that pinning is a widely usable strategy for TLS security in non-browser software. However, in a nominalactual comparison, we find that only 45 apps actually implement pinning. We collected developer feedback from 45 respondents and learned that only a quarter of them grasp the concept of pinning, but still find pinning too complex to use. Based on their feedback, we built an easy-to-use web-application that supports developers in the decision process and guides them through the correct deployment of a pinning-protected TLS implementation.
%0 Conference Paper
%1 190898
%A Oltrogge, Marten
%A Acar, Yasemin
%A Dechand, Sergej
%A Smith, Matthew
%A Fahl, Sascha
%B 24th USENIX Security Symposium (USENIX Security 15)
%C Washington, D.C.
%D 2015
%I USENIX Association
%K TLS android apps certificate myown pinning security
%P 239-254
%T To Pin or Not to Pin—Helping App Developers Bullet Proof Their TLS Connections
%U https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/oltrogge
%X For increased security during TLS certificate validation, a common recommendation is to use a variation of pinning. Especially non-browser software developers are encouraged to limit the number of trusted certificates to a minimum, since the default CA-based approach is known to be vulnerable to serious security threats.
The decision for or against pinning is always a tradeoff between increasing security and keeping maintenance efforts at an acceptable level. In this paper, we present an extensive study on the applicability of pinning for non-browser software by analyzing 639,283 Android apps. Conservatively, we propose pinning as an appropriate strategy for 11,547 (1.8%) apps or for 45,247 TLS connections (4.25%) in our sample set. With a more optimistic classification of borderline cases, we propose pinning for consideration for 58,817 (9.1%) apps or for 140,020 (3.8%1) TLS connections. This weakens the assumption that pinning is a widely usable strategy for TLS security in non-browser software. However, in a nominalactual comparison, we find that only 45 apps actually implement pinning. We collected developer feedback from 45 respondents and learned that only a quarter of them grasp the concept of pinning, but still find pinning too complex to use. Based on their feedback, we built an easy-to-use web-application that supports developers in the decision process and guides them through the correct deployment of a pinning-protected TLS implementation.
%@ 978-1-931971-232
@inproceedings{190898,
abstract = {For increased security during TLS certificate validation, a common recommendation is to use a variation of pinning. Especially non-browser software developers are encouraged to limit the number of trusted certificates to a minimum, since the default CA-based approach is known to be vulnerable to serious security threats.
The decision for or against pinning is always a tradeoff between increasing security and keeping maintenance efforts at an acceptable level. In this paper, we present an extensive study on the applicability of pinning for non-browser software by analyzing 639,283 Android apps. Conservatively, we propose pinning as an appropriate strategy for 11,547 (1.8%) apps or for 45,247 TLS connections (4.25%) in our sample set. With a more optimistic classification of borderline cases, we propose pinning for consideration for 58,817 (9.1%) apps or for 140,020 (3.8%1) TLS connections. This weakens the assumption that pinning is a widely usable strategy for TLS security in non-browser software. However, in a nominalactual comparison, we find that only 45 apps actually implement pinning. We collected developer feedback from 45 respondents and learned that only a quarter of them grasp the concept of pinning, but still find pinning too complex to use. Based on their feedback, we built an easy-to-use web-application that supports developers in the decision process and guides them through the correct deployment of a pinning-protected TLS implementation.},
added-at = {2016-01-12T13:04:20.000+0100},
address = {Washington, D.C.},
author = {Oltrogge, Marten and Acar, Yasemin and Dechand, Sergej and Smith, Matthew and Fahl, Sascha},
biburl = {https://www.bibsonomy.org/bibtex/28c75d47aee390ed5c30586b98f64cb87/smithl3s},
booktitle = {24th USENIX Security Symposium (USENIX Security 15)},
interhash = {186f114e6fac501d5a55c5b2696237f8},
intrahash = {8c75d47aee390ed5c30586b98f64cb87},
isbn = {978-1-931971-232},
keywords = {TLS android apps certificate myown pinning security},
month = aug,
pages = {239-254},
publisher = {USENIX Association},
timestamp = {2020-04-17T12:11:05.000+0200},
title = {To Pin or Not to Pin—Helping App Developers Bullet Proof Their TLS Connections},
url = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/oltrogge},
year = 2015
}