Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

To Pin or Not to Pin - Helping App Developers Bullet Proof Their TLS Connections

: Oltrogge, M.; Acar, Y.; Dechand, S.; Smith, M.; Fahl, S.

Fulltext ()

USENIX Association:
24th USENIX Security Symposium 2015. Proceedings : Washington, D.C., August 12-14, 2015
Berkeley, CA, USA: USENIX, 2015
ISBN: 978-1-931971-232
Security Symposium <24, 2015, Washington/DC>
Conference Paper, Electronic Publication
Fraunhofer FKIE ()

For increased security during TLS certificate validation, a common recommendation is to use a variation of pinning. Especially non-browser software developers are encouraged to limit the number of trusted certificates to a minimum, since the default CA-based approach is known to be vulnerable to serious security threats.
The decision for or against pinning is always a tradeoff between increasing security and keeping maintenance efforts at an acceptable level. In this paper, we present an extensive study on the applicability of pinning for non-browser software by analyzing 639,283 Android apps. Conservatively, we propose pinning as an appropriate strategy for 11,547 (1.8%) apps or for 45,247 TLS connections (4.25%) in our sample set. With a more optimistic classification of borderline cases, we propose pinning for consideration for 58,817 (9.1%) apps or for 140,020 (3.8%1) TLS connections. This weakens the assumption that pinning is a widely usable strategy for TLS security in non-browser software. However, in a nominalactual comparison, we find that only 45 apps actually implement pinning. We collected developer feedback from 45 respondents and learned that only a quarter of them grasp the concept of pinning, but still find pinning too complex to use. Based on their feedback, we built an easy-to-use web-application that supports developers in the decision process and guides them through the correct deployment of a pinning-protected TLS implementation.