TeamUSEC
Projects
Publications
Classes
Theses
Team
Code of Conduct
Projects
Publications
Classes
Theses
Team
Code of Conduct

To Pin or Not to Pin-Helping App Developers Bullet Proof Their TLS Connections

Marten Oltrogge, Yasemin Acar, Sergej Dechand, Matthew Smith and Sascha Fahl.
24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015
PDF Abstract Cite URL

Abstract

For increased security during TLS certificate validation, a common recommendation is to use a variation of pinning. Especially non-browser software developers are encouraged to limit the number of trusted certificates to a minimum, since the default CA-based approach is known to be vulnerable to serious security threats. The decision for or against pinning is always a tradeoff between increasing security and keeping maintenance efforts at an acceptable level.

In this paper, we present an extensive study on the applicability of pinning for non-browser software by analyzing 639,283 Android apps. Conservatively, we propose pinning as an appropriate strategy for 11,547 (1.8%) apps or for 45,247 TLS connections (4.25%) in our sample set. With a more optimistic classification of borderline cases, we propose pinning for consideration for 58,817 (9.1%) apps or for 140,020 (3.8%1) TLS connections. This weakens the assumption that pinning is a widely usable strategy for TLS security in non-browser software. However, in a nominalactual comparison, we find that only 45 apps actually implement pinning. We collected developer feedback from 45 respondents and learned that only a quarter of them grasp the concept of pinning, but still find pinning too complex to use. Based on their feedback, we built an easy-to-use web-application that supports developers in the decision process and guides them through the correct deployment of a pinning-protected TLS implementation.

Reference

@inproceedings{DBLP:conf/uss/OltroggeAD0F15,
 author = {Marten Oltrogge and
Yasemin Acar and
Sergej Dechand and
Matthew Smith and
Sascha Fahl},
 bibsource = {dblp computer science bibliography, https://dblp.org},
 biburl = {https://dblp.org/rec/conf/uss/OltroggeAD0F15.bib},
 booktitle = {24th USENIX Security Symposium, USENIX Security 15, Washington,
D.C., USA, August 12-14, 2015},
 editor = {Jaeyeon Jung and
Thorsten Holz},
 pages = {239--254},
 publisher = {USENIX Association},
 title = {To Pin or Not to Pin-Helping App Developers Bullet Proof Their TLS
Connections},
 url = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/oltrogge},
 year = {2015}
}