In order to increase network data security, mobile app developers might employ SSL pinning as a security mechanism. In Flutter, SSL pinning is the process of establishing a secure connection by connecting a particular SSL certificate to the remote server.
The main purpose of SSL pinning in Flutter is to lessen the possibility of man-in-the-middle attacks. By authenticating the server’s SSL certificate on the client side, SSL pinning makes sure the application only communicates with the intended server and stops hackers from intercepting or altering the communication.
In order to increase the security of data transferred between the app and the server, mobile applications—including those created with Flutter—often employ the SSL pinning technique. By enforcing a particular SSL certificate or public key, the app lowers the risk of unauthorised access and data interception by ensuring that it only connects to an authentic and trusted server. Let’s look at its advantages and disadvantages of it:
What’s the Advantage of using SSL Pinning?
- Enhanced Protection: By limiting the app’s ability to trust a single SSL certificate, SSL pinning provides an additional degree of protection. As a result, impersonating the server becomes more difficult for attackers.
- Defence Against MITM Attacks: An attack known as a Man-in-the-Middle (MITM) occurs when a hacker intercepts and manipulates data traveling between a server and an application. SSL pinning reduces the impact of this sort of attack.
- Data Correctness: SSL pinning lowers the possibility of data tampering by verifying the legitimacy of the server and preserving the integrity of the data being transferred.
- Observance of Security Guidelines: Adhering to security best practices and possibly mandated by specific security standards and regulations, SSL pinning is an implementable security measure.
What are the Disadvantages of SSL Pinning?
- Maintenance Overhead: SSL pinning requires careful management of SSL certificates. If the server’s certificate changes, the app needs to be updated with the new certificate, which can be cumbersome and prone to errors.
- Reduced Flexibility: SSL pinning can make it more challenging to switch servers or update SSL certificates, as each change requires an update to the app.
- Potential False Sense of Security: While SSL pinning enhances security, it is not a silver bullet. Developers still need to implement other security measures, and relying solely on SSL pinning might create a false sense of security.
- Increased Development Complexity: Implementing SSL pinning adds complexity to the development process. Developers need to carefully manage the pinned certificates or public keys, and mistakes in implementation could lead to connectivity issues.
How can we Implement the SSL Pinning in a Flutter?
The first one is using http_certificate_pinning And another is without using any third-party library.
1. With the help of HTTP Certificate Pinning:
Create a new project and add http_certificate_pinning in pubspec.yaml file.
Then we need sha1 or sha12 fingerprints to validate the SSL. It will be generated from the .crt certificate through the command.
For that follow the below steps:
As shown in this video, Download the certificate from your server. Then you can convert it into .crt using these commands:
openssl x509 -inform DER -in certificate.cer -out certificate.crt
openssl x509 -inform PEM -in certificate.cer -out certificate.crt
After this step, we will get our fingerprints from the .crt file using the below command:
openssl x509 -noout -fingerprint -sha256 -inform pem -in abc.crt
openssl x509 -noout -fingerprint -sha1 -inform pem -in abc.crt
You will get something like this:
SHA256 Fingerprint=9C:FA:0D:7B:25:19:26:B4:45:04:A0:F7:21:D9:04:47:BF:F7:45:3F:FC:B8:32:B8:C1:07:8B:2E:3D:19:0E:5E
Then in the next step, we will check whether our connection is secure or not by doing below code :
In checkMsg, we will get some strings like “CONNECTION_SECURE” or “CONNECTION_NOT_SECURE”.
Then we check the connection in every API call by doing below code:
So here when a connection is insecure API calling will also stop in the application.
2. SSL Pinning Without Using any Third Party:
Create a new project and add the http package in pubspec.yaml file.
We validated fingerprints(SHA256 or SHA1) in the above way. In this way, we will check the certificate directly. For that, we need a certificate and it would be generated from the browser and directly run commands in the terminal.
We already saw a process of generating a certificate from the browser. Now we will generate a certificate from the below command :
openssl s_client -showcerts -connect {YOUR_SERVER}:443 -servername {YOUR_SERVER} 2>/dev/null </dev/null | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > {GIVE_CERTIFICATE_NAME}.pem
After successfully hitting this command you will get a certificate in your directory.
And then add that certificate to the project just like in the below image.
After adding the certificate, we will go for configuration. In the configuration, we first load the certificate and then save it in the security context. Then initialize it into http.client and call all API using that client. Check the below images for these steps:
So whenever any API calls to the server it validates first if a connection is secure then the API works perfectly but if a connection is not secure then it will give a handshake error due to a mismatch of the certificate.
Wrapping Up
SSL pinning is a security mechanism in Flutter that includes linking a specific SSL certificate with a mobile application, guaranteeing that the app only communicates with servers that have that exact certificate. This method increases the security of the communication connection between the mobile app and the server, protecting it from potential threats such as man-in-the-middle attacks.
In conclusion, SSL pinning in Flutter adds an extra degree of security by confirming the server’s SSL certificate and prohibiting unauthorized actors from eavesdropping or modifying the communication between the app and the server.
Implementing SSL pinning is especially important in apps that handle sensitive information or transactions, as it reduces the danger of data breaches and unauthorised access. While it complicates the development process, the security benefits make it a viable practice for maintaining the integrity and confidentiality of data sent between a Flutter app and its backend server. To maintain a strong security posture over the lifecycle of the programme, developers should carefully manage and refresh the pinned certificates.
About Author
Harshal Shah - Founder & CEO of Elsner Technologies
Harshal is an accomplished leader with a vision for shaping the future of technology. His passion for innovation and commitment to delivering cutting-edge solutions has driven him to spearhead successful ventures. With a strong focus on growth and customer-centric strategies, Harshal continues to inspire and lead teams to achieve remarkable results.