How to do Mobile Certificate Pinning on Cloudflare

Hello Cloudflare Community,

I have a mobile and desktop app that users use to communicate with our server, but the issue is that I can’t find a way to pin certificates with Cloudflare such that traffic won’t be inspected by an attacker.

Certificate Pinning is a must have for a banks and financial applications and I see popular banks Barclays, Lloyds, etc. employing these techniques to prevent attackers from modifying traffic with a self signed cert.

Is there any way to prevent this MITM inspection by an attacker using certificate pinning on Cloudflare?

Thanks

Have a look at the documentation regarding this:

1 Like

And this one:

1 Like

I don’t understand these resources and they aren’t relevant to me nor does it help me.

It seems to me that these resources on ‘HPKP’ are for web browsers (which they are rightfully deprecated because pinning on web browsers doesn’t make sense) which my question is not about. I am specifically asking for mobile apps on iOS and Android.

So if I am on Cloudflare I should just let my attackers inspect my traffic and impersonate my mobile app by MITM inspection of a regular self signed certificate?

Because I don’t think Cloudflare’s potential big customers (Banks, Healthcare Providers, Political Organisations and organisations with sensitive information) would want to allow this for their mobile apps.

1 Like

If you app trusts self signed certificates, that does indeed sound like a very serious issue that you should fix quickly.

As for PKP, what’s stopping you from implementing it into your app?

If you want a more realistic solution, you could also take a look at https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/.
mTLS is probably the way to go if you are afraid of attackers gaining valid certificates for your domain.

1 Like

CAA records and certificate monitoring are another layer of defense.

The pain point, as discussed on those articles, is that certs are frequently rotated out, breaking HPKP.

Nothing here is stopping you from using it, but you’re going to have to keep a close eye on it.

You’re probably look for Cloudflare MTLS if you want 2 way Mutual TLS · Cloudflare Zero Trust docs

Or probably more relevant and widely available Cloudflare plan wise is Authenticated Origin Pull Authenticated Origin Pulls (mTLS) · Cloudflare SSL/TLS docs and Set up Authenticated Origin Pulls · Cloudflare SSL/TLS docs.

Authenticated Origin Pulls helps ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of Full or Full (strict) encryption modes.

This authentication becomes particularly important with the Cloudflare Web Application Firewall (WAF). Together with the WAF, you can make sure that all traffic is evaluated before receiving a response from your origin server.

Although Cloudflare provides you a certificate to easily configure zone-level authentication, if you want more strict security, you should upload your own certificate. Using a custom certificate is possible with both zone-level and per-hostname authenticated origin pulls and is required if you need your domain to be FIPS compliant

But you’d want to use custom Authenticated Origin Pull certs using your own custom CA cert and signed and uploaded client SSL certs at zone and custom hostname levels (quoted text links) instead of Cloudflare’s default provided Authenticated Origin Pull cert

To apply different client certificates simultaneously at both the zone and hostname level, you can combine zone-level and per-hostname custom certificates.

First set up zone-level pulls using a certificate. Then, upload multiple, specialized certificates for individual hostnames

You can see Authenticated Origin Pull with custom hostname certs example I posted using Cloudflare API and creating my own custom CA certs and signed client certs using Cloudflare cfssl tool I posted at GitHub - centminmod/cfssl-ca-ssl

Jumping to client SSL cert and Cloudflare API uploading of custom certs GitHub - centminmod/cfssl-ca-ssl and sub sections

If you’re OK trusting Cloudflare provided Authenticated Origin Pull certs instead of your own custom uploaded certs, you can obtain those Via Cloudflare domain zone dashboard or VIA Cloudflare API. I posted an example also at GitHub - centminmod/cfssl-ca-ssl

Note though Cloudflare Authenticated Origin Pull feature is not compatible with Cloudflare Tunnels Cloudflare Tunnel · Cloudflare Zero Trust docs older example posted on my blog https://blog.centminmod.com/2021/02/09/2250/how-to-setup-cloudflare-argo-tunnel-on-centos-7/

1 Like

It’s not that dependent on CF, certificate pinning works as long as you can “guarantee” a consistent certificate or set of certificates.

There is a “built in” way of doing it with mTLS Configure mTLS · Cloudflare API Shield docs but you can also bring your own certificate and verify the certs manually.

It depends on the attack vector.

If the attacker is inspecting the traffic of your application at their own will, pinning won’t do much since they can easily patch the checks or dump the requests/modify them as your application builds them.

If your only concern are public networks or any other kind of connection interception that doesn’t involve the device being potentially compromised, then mutual tls or pinning is fine.

However, if your concern is on the RE/Device compromised side of things, your best bet is on a RASP/Tamper protection for mobile applications, however, those are usually very expensive and not that great at preventing attacks.

3 Likes

For me if ONE person performs MITM on my content they are able to see the data (i.e. JSON) from the request, they can copy the JSON to say a video file or a book and download it outside my app.

I only need ONE person to do this on my app and my content is available outside and I cannot afford for that to happen.

This is the level of the kind of attack vector that I am dealing with.

If the attacker is inspecting the traffic of your application at their own will, pinning won’t do much since they can easily patch the checks or dump the requests/modify them as your application builds them.

If your only concern are public networks or any other kind of connection interception that doesn’t involve the device being potentially compromised, then mutual tls or pinning is fine.

However, if your concern is on the RE/Device compromised side of things, your best bet is on a RASP/Tamper protection for mobile applications, however, those are usually very expensive and not that great at preventing attacks.

I can see that Snapchat, Robinhood, and tons of other Banking Apps doesn’t allow MITM with great success so I disagree with your assessment on this.

I should be easy for Cloudflare to allow their customers to have this MITM prevention feature given other apps are able to do this with ease.

Neither play nor app store allow for heavy obfuscation or tamper protection, the measures you can take to prevent MITM are almost non existent.

The MITM prevention on the apps you mentioned is easily circumvented by any attacker with minimal backgrounds in reverse engineering. All it takes is patching the pinning check or hooking the ssl to read or intercept the connection.

These companies want to protect the apps against unwanted tampering where a malicious actor isn’t actively trying to inspect the app (ie: a malware that tries to dump the traffic of all apps and doesn’t actively try to dump the traffic of X process).

They try to prevent it from occurring, however, that doesn’t mean it’s bulletproof. Like I mentioned earlier, anybody can tamper with the behavior of your application at runtime and make traffic inspection an easy task.

Frida is fairly simple to use and can perform the attacks that I’m describing with few lines of code. I understand this is not what you were expecting to hear but preventing MITM when the attacker has access to the machine is impossible and pointless.

1 Like

Neither play nor app store allow for heavy obfuscation or tamper protection, the measures you can take to prevent MITM are almost non existent.

They allowed Snapchat, Robinhood, and other Banking Apps, so this doesn’t look an issue to me.

It is assumed all banking apps block Frida so this is an extreme case, (Which I don’t mind going to as I have the capital to go to this level, but shouldn’t need to)

What I am asking Cloudflare to do (since they are in the business of creating, using certificates and protecting APIs and websites) is to prevent the low hanging fruit (preventing MITM on mobile devices with cert pinning) which prevents the drive-by amateur ‘curious’ individuals from seeing our traffic.

I understand this is not what you were expecting to hear but preventing MITM when the attacker has access to the machine is impossible and pointless.

I disagree again, how is this “impossible and pointless” if the companies i’ve mentioned and finance apps are able to do all of what you’ve mentioned in terms of certificate pinning on mobile devices already?

They have a similar risk model as I do that a mobile MITM attack would result in thousands to millions in lost revenue which is why they employ this MITM-prevention strategy in their apps.

Is mTLS the closest thing that does all of what I want? If not, Cloudflare should consider implementing a service to allow us customers to do certificate pinning on mobile devices if they want more enterprises and high revenue businesses to work with them.

I might not be making the point clear, you can add those checks, but they aren’t resilient to tampering and aren’t effective when your concern are RE attacks.

Pinning is like a lock, it’s safe against anybody that simply tries to open the doors of the system, however, if there is a lockpicker that wants to open the door, even if they are amateur, they will do it, and they will do it easily.
Complex tampering solutions require heavy obfuscation, which neither app store nor play store allow, therefore the “locks” you can place on your application are trivial and easily removed.

The applications you keep mentioning do not focus on obfuscating their protocol or the data being sent, they focus on preventing replaying of requests from being easily achieved, this is done by bot management/fraud protections SDKs that try to ensure only the application and the SDK can generate valid requests. Cloudflare does not have this kind of protection but Akamai & Denuvo do.

I emphasize, the apps you mention don’t focus on obfuscating the network, they focus on making the requests hard to replicate. If stopping MITM was remotely possible, cybersecurity solutions wouldn’t obfuscate/encrypt their payloads on top of having TLS/SSL with certificate pinning, they obfuscate the payloads because they know MITM with a malicious actor RE’ing the program is always possible.

You can try to block it, but you can’t have an absolute solution. It’s a constant arms race where vendors add checks and attackers patch them.

Given the limitations of android/ios platforms, cybersecurity vendors are at clear disadvantage.

They have the risk, that’s correct, but they rely on bot management /tamper protection/ fraud protection SDKs to protect them, SSL Pinning is a very small portion of a bigger picture that is protecting mobile applications.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.