Forum Discussion
NimbostratusSSL pinning
We are in development stage for mobile app and we successfully integrate Frond end application server with F5 ASM . We have new change request in order to secure mobile application with SSL certificate pinning .
SSL certificate pinning is required to avoid MITM attack . We need to check 1-If we proceed with change from application side what is the required changes with F5 2-Is there any alternative change using F5 to avoid application change and achieve same target
2 Replies
jgranieriSounds like your app will have an embedded certificate in it? are you using a CA signed certificate or self-signed? Certificate pinning basically means your app will contain the certificate embedded in that you will also host on your front end / perimeter F5 where the SSL negotiation is taking place. However any changes to your certificate will require application updates in order for SSL to continue to negotiate.
You can embed a host checker(domain level) in your app that makes sure the connection it makes using SSL to your F5 has a valid domain signed by a CA. for example your mobile app will validate that the SSL connection it makes have a valid CA signed domaon such as . Now when the app makes a connection as long as your F5 VS SSL profile has that cert named something.yourcompany.com and signed by the CA you specified in your app then the SSL connection will negotiated.
Simon_Waters_13Cirrostratus
No, the F5 probably can't make your Android app pin.
You can use HPKP to pin certificates in browsers, but it is unlikely that mobile apps will honour these settings, since it requires client side state to be preserved between visits.
There should be no MITM with TLS unless the user or the device has added a trusted CA. But if you want to pin and many mobile apps do, you'll what to change the app.
