373 – Use certificate pinning

Summary

Mobile applications should use certificate pinning to validate the endpoints. If a pinset is used, up to 2 certificates should be allowed.

Description

Certificate pinning establishes that the mobile application only connects to servers with valid and trusted certificates. This helps to protect against scenarios where an attacker might attempt to use a fraudulent or compromised certificate to intercept or manipulate the communication. Additionally, the application will accept connections from servers that present any of the specified certificates in the pinset.

Supported In

Advanced: True

References

• CAPEC-94. Adversary in the middle (AiTM)
• CWE-297. Improper validation of certificate with host mismatch
• OWASP10-A7. Identification and authentication failures
• OWASPM10-M6. Insecure authorization
• MITRE-M1040. Behavior prevention on endpoint
• CMMC-PE_L1-3_10_5. Manage physical access
• HITRUST-10_c. Control of internal processing
• ISO27002-8_1. User endpoint devices
• ISO27002-8_26. Application security requirements
• IEC62443-IAC-1_9. Strength of public key authentication
• IEC62443-UC-2_3. Use control for portable and mobile devices
• PTES-7_4_2_7. Post exploitation - Pillaging (certificate authority)
• C2M2-9_3_b. Implement IT and OT asset security for cybersecurity architecture
• ISO27001-8_1. User endpoint devices
• ISO27001-8_26. Application security requirements
• OWASPMASVS-NETWORK-2. The app performs identity pinning for all remote endpoints under the developer's control

Last updated

2024/01/18