In the era of digitalization, when we are surrounded by technology, security has become a very big component that can not be neglected. So, I have just learned and implemented one of the ways to secure my Flutter app, which is SSL Pinning.
So, What is SSL Pinning ?
SSL stands for Secure Socket Layer. SSL certificate creates a trustable connection between the server and the client. This connection ensures that the transmission of the data between the client and the server will be private and secure.
Which problem does the SSL pinning solve ?
SSL pinning solves the MITM (Man In The Middle) attack. So, what is Man in the Middle Attack? Suppose, a person intercepts the client-server connection and adds some bad certificates that can lead to data breaching and leakage of private user information.
To prevent this kind of threat, SSL pinning is one of the options.
How does SSL Pinning work ?
In simple language, the backend developer will give a server certificate to the front-end developer, and the front-end developer will pin the certificate in every API call. So the HTTP client will take this certificate as a trustable one. Now if MITM happens and the app gets some bad certificate, the API calls will be broken due to a Handshake error.
well, the concept is easy, right? so, the summary is we can not call a specific server with another server’s certificate.
Limitation:
Yes, this method also had limitations. which I understood, is like:
If we have to make a browser kind of App where we have to travel to multiple websites and some unknowns websites too, then we can not use SSL Pinning.
Second, every year the server certificate gets a renewal, and it changes. So we have to update the app with every new certificate, even if there is no change in the App logic and UI or UX.
Okay, let's implement in a demo Flutter App,
In this example, we will pin the certificate from facebook.com and will try to hit google.com and will check the result.
First of all, Get the certificate:
Step 1:
Open facebook.com (you can open any website you want, but I am testing with Facebook) → Open the developer console(for chrome it is ctrl+shift+j)→
then go to security
Click on view certificate
then in the new pop up screen click on the details
Then copy to file, and hence you can save the certificate.
most probably the certificate extension will be .cef, but we have to convert it to .pem to make it compatible with the Flutter SDK.
To convert the file, put it in a folder and open the folder in the terminal, and hit the command:
openssl x509 -inform der -in demo.cer -out demo.pem
demo is the file name you can use on your own.
Next Step:
create a Flutter Project and add the certificate as an asset and add it to the pubspec.yaml
now, let’s start coding. In this basic example, I will add a button and when it will be hit we will make the network request. and to deal with network requests, I will be using the dio package.
here is the code snippet.
first of all, we are reading the file in bytes and then adding it to the dio client. then we are making the network request with the same dio object.
So, let’s try this out:
when we are hitting facebook.com with the certificate we pinned we will get this type of response which is a good one,
but when we will hit google.com with the same certificate, the response will be like this:
we will get a handshake error due to the invalid certificate for the server. Thus, we can secure our connection with this method as we can not go to other servers with the certificate which is pre-installed in the application.
here is another example with HTTP client and using a global context, you can use which one suits you,
So, the concept I understood of SSL pinning, I have described, may have some other aspect also. But I am not digging it enough, as according to me security is a myth. There is nothing so-called invulnerable system. there is always a way to penetrate and we are watching data breaching in too many unicorn companies.
