Certificate Pinning and Hostname Verification: Don’t Get Pinned by a Mobile Man-In-The-Middle Attack

Certificate Pinning and Hostname Verification: Don’t Get Pinned by a Mobile Man-In-The-Middle Attack

Description

Recent news stories have brought attention to a research paper (“Spinner: Semi-Automatic Detection of Pinning without Hostname Verification”) published this week highlighting man-in-the-middle (MITM) vulnerabilities in a number of public mobile apps. The vulnerability springs from a failure to validate that the hostname on the certificate matches the actual host to which an app connects.