Dealing with cert pinning and root detection
The privacy area has been white-hot lately, including litigation and investigations involving VPPA; Wiretap/Pen Register/Trap and Trace; and Opt Out Compliance. Furthermore, with the HHS updates on tracking in the HIPAA context, and the new state privacy laws (such as the My Health My Data Act), we can also expect a ramped-up focus on healthcare, fitness, pharma, nutrition, and medical devices. If a company wants to beat the plaintiffs’ lawyers and regulators to the punch, it is critical that the company conduct periodic network traffic analysis tests (also known as “dynamic testing”) of its mobile apps. Testing allows a company to see what data is collected from the app and by whom.
Occasionally, network traffic analysis can be frustrated by additional security measures used in the financial and healthcare areas (and also, increasingly, in areas where sensitive intellectual property may be in play). These measures can include “root detection” and “cert-pinning”. Cert-pinning helps ensure that the company app is solely communicating with the intended server by forcing the company app to trust a predefined or “pinned” certificate or set of certificates. Cert-pinning is typically used to prevent state-sponsored man-in-the-middle (MITM) attacks (i.e., malicious activities conducted by a government to intercept or otherwise manipulate communications between two parties). On the other hand, root detection is used to safeguard users and companies against devices that have been rooted (Android) or jailbroken (iOS) (i.e., bypasses the manufacturer’s restrictions), which can potentially compromise the security of the device and the applications running on it.
Cert-pinning (on both iOS and Android) can frustrate proxying of network traffic because the proxy certificate will cause certificate validation errors and prevent collection and analysis of traffic. Root detection, meanwhile, can frustrate traffic analysis on Android because a rooted Android device is often used to conduct such tests. Mobile apps that are equipped with root detection will simply not work on a rooted phone. All of these issues can pose a major problem for Chief Privacy Officers if their company’s own security protections are preventing them from conducting compliance-critical testing.
The NT Analyzer team has invested significant time in developing workarounds to successfully handle both cert-pinning and root detection. Through the use of the Frida instrumentation toolkit, mitmproxy, and some custom scripting, we have been able to routinely bypass both hurdles during our testing.
Now, more than ever, it is important for companies to obtain line-of-sight on data collection/sharing that is otherwise hidden from view. For more information about NT Analyzer testing or to discuss this blogpost, please contact: NTAnalyzer@nortonrosefulbright.com.