Public Pinning in Android

Question

I am using SSL cert pinning in retrofit with using sha256 key. But, it gets expire after certain times. At that time I have to update applications with new sha256 key. This is not reliable practice for customers to update app every time. How can I prevent this?

 val certificatePinner: CertificatePinner = CertificatePinner.Builder()
        .add(
            certificateBase,
            certificateSHA
        ).build()
    builder.certificatePinner(certificatePinner)

second query, If I dont want to use this certPinning in retrofit, I would choose to implement public pinning using .pem certificates file. Ref link: https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning Is public pinning require to update app everytime? Is there any pinning method which doesn’t require to update applications, just one time pinning. Thanks in Advance.

Answer 1

How can I prevent this?

Some amount of pin rotation is unavoidable, as SSL certificates expire or need to be replaced due to security breaches. You can control the expiration frequency by purchasing a longer-lived certificate. Or, pin to the SSL certificate authority's certificate up the chain, rather than your own, though this offers somewhat less security.

Is public pinning require to update app everytime?

We do not know what you mean by "everytime". If the SSL certificate that you are pinning against changes, you need to update the app to reflect the new pins.

Is there any pinning method which doesn’t require to update applications every time

We do not know what you mean by "every time". If the SSL certificate that you are pinning against changes, you need to update the app to reflect the new pins. This is the point of certificate pinning, because your app has no way to distinguish an SSL certificate that was replaced intentionally and an SSL certificate that was replaced by a MITM attacker.

Answer 2

Banking apps (which rely on pinning heavily) do it the following way:

1. Server buys new certificate every year, with maximum allowed, 2-year validity period. This means they need twice as many certificates as usual.
2. Fresh private key is not deployed to server. It's tagged as "future" and stored (in some very secure storage) for 1 year.
3. When "current" certificate expires, a one-year old certificate is taken from storage and deployed ("future" gets promoted to "current").
4. goto 1

Every new version of an app is released with 2 public certificates, one "current" and one "future". Pinning is done in a way that either of those 2 are be accepted. This means that customers are expected to update the app at least once a year. That practice is reliable enough.

Is there any pinning method which doesn’t require to update applications every time

But this is the whole point of pinning: to permanently tie an app release to 1 or more certificates. If that's a problem for you, it means that you don't want pinning.