When reading about the different android app stores that are available, I found out that Aurora Store does not implement certificate pinning.
As far as I understand, this means that Aurora store’s connection to google’s app repository is not as secure as the Play Store’s connection. What I do not understand is how less secure it is.
Additionally, according to the privsec.dev article, F-Droid’s official client does not implement certificate pinning either. However, I am not sure if this has been fixed or not.
Is certificate pinning that important for security?
Certificate pinning is useful when you are in a corporate environment or if you run a device supplied to you by a company or malicious body.
Essentially certificate pinning can prevent a more advanced MITM attack. It however isn’t robust.
In order to do a MITM on a website that has utilizes TLS you need a valid certificate. If you want to get around this there are as an attacker two ways:
- get a different root CA on the device of the user. This often happens in companies so they can use something that is called TLS interception to spy on their employees. Or this can happen because your phone is hacked or issued by a malicious vendor.
- This option is more rare but it has happend in the past that an already trusted CA gets compromised and issues a different certificate for the same domain. There is a famous story of the government of Iran who had a valid cert for google.com signed by a trusted root CA.
To prevent the both on top certificate pinning is a good strategy. Especially for point two.
Certificate pinning is often up for discussion as it prevents companies from doing TLS interception and some security experts believe this is a valid security measure ( I tend to disagree ).
You should realize that when a device is compromised on a level like metioned in option 1. The attacker is very likely able to disable or circumvent security measures too. So for that attack it isn’t a sufficient mitigation alone.
These are my two cents.
Certificate pinning is so unimportant to the average person’s security that AOSP specifically recommends against it, and a similar technology except for web browsing (HPKP) was completely killed off because it caused more harm than good.
It’s going to provide a very slight benefit in certain MITM situations, and on a scale as big as Google Play it might make sense for Google to use it, because they can have a very robust implementation including operating their own CA that would be out of reach to the average developer. However, if you trust your device’s certificate store anyways—which you probably do/should—then your risk is nearly 0.
Okay so one more thing. From a security officer perspective:
If you are let’s say a bank or other company that processes sensitive data that is secured by TLS. You will want to prevent that your customers data is seen by their employers. Employers commonly install their own root certificate to be able to use a TLS interceptor in the name os security. This however allows the employer to monitor, see, log, share all network activity. Including the customers sensitive data. In the name of your reputation you definitely want to stop that from happening and also to protect gour customers from snooping in bosses.
Of course you should never use your corporate device for personal things. People here know that. I just wanted to highlight a very valid concern and reason for a developer to implement this.
For installing app updates? I would hope you can trust your employer with that and also android will still check the signature of the app so this isn’t much of a concern in the case of the OP.
Thank you both for your answers.