Our TeamsID iOS and Android apps were updated today with security enhancements including SSL pinning.
What Is SSL Pinning?
Put simply, SSL pinning is making sure a mobile application such as TeamsID’s iOS app or Android app double checks a server’s security certificate. We are bundling our server’s SSL certificate inside our apps and ensuring that any SSL request validates that the server’s certificate matches the bundled certificate.
Why Is SSL Pinning Important?
Using SSL for network connections is the standard method of ensuring secure data transmission in mobile applications. Using SSL pinning is an extra step that helps ensure eavesdropping cannot occur on the data connection.
In standard SSL connections, the client app makes a connection to a server and the server responds with its SSL certificate. If that certificate was issued by an authority that is trusted, then the connection is allowed. All data sent through this connection is then encrypted with the server’s public key. The “trust” part is important. For an attacker to perform what’s known as a “man in the middle” attack, the mobile device would have to trust the attacker’s certificate. It is highly unlikely that an attacker possesses a trusted certificate, and therefore this is normally not an issue. However, there have been rare cases of compromised SSL certificates, and using SSL pinning can mitigate the risk from such cases.
What Does This Mean For Me?
Using SSL pinning will require us to do more updates of our client apps. You will need to update your TeamsID iOS and Android apps from their respective app stores for the mobile apps to keep working.
If you have any questions about SSL pinning or TeamsID security in general, let us know!