Giving Android a security boost (Part Two)
Article Summary
Zomato's Android team breaks down SSL certificate pinning: the security feature that could brick your app if done wrong.
Part two of Zomato's security series dives deep into X.509 digital certificates and pinning strategies. The team explains what certificates actually contain and how to choose the right pinning approach without painting yourself into a corner during certificate rotation.
Key Takeaways
- X.509 certificates contain 10 key components: subject, serial number, public key, and more
- Leaf certificate pinning is most secure but requires app updates on rotation
- Public key pinning beats certificate pinning: immune to rotation problems
- Best practice: pin both intermediate and leaf certificates to avoid bricking apps
Public key pinning offers the security of SSL pinning without the certificate rotation headaches that force constant app updates.
About This Article
Zomato's Android team needed to understand the 10 structural components of X.509 digital certificates. These include subject, serial number, issuer, validity dates, public key, algorithm identifier, digital signature, version, and timestamp. Without this knowledge, they risked misconfiguring certificate pinning.
The team documented three common filename extensions for certificates. PEM files use .pem with Base-64 encoding. PKCS files use .p7b, .p7c, or .p12 extensions for exchanging public and private objects. DER files use .cer, .der, or .crt with binary encoding. This guide helped developers pick the right format for their pinning strategy.
Zomato outlined three pinning levels for developers to choose from. Leaf pinning is most secure. Intermediate pinning offers a balanced approach. Root pinning has the largest attack surface. The team recommended pinning both intermediate and leaf certificates together, which reduces the risk of the application breaking while still maintaining strong security.