What is WhatsApp certificate pinning?

Table of Contents

WhatsApp does not perform SSL pinning when establishing a trusted connection between the mobile applications and back-end web services. Without SSL pinning enforced, an attacker could man-in-the-middle the connection between the mobile applications and back-end web services.

Is certificate pinning a good idea?

These practices, when implemented correctly, could enhance security, but it did not take long for the web community to find out pinning was not such a great idea. What can go wrong with Certificate Pinning? Pinning, especially with HPKP, was extremely risky and error prone.

Does WhatsApp use certificates?

The WhatsApp Business API Client generates a self-signed certificate by default when it is created. The Certification Authority (CA) certificate used to generate the self-signed certificate might be required to verify the WhatsApp Business API Client endpoint and avoid a certificate trust warning.

What is certificate pinning mobile apps?

Certificate Pinning is the process in which an app stores specific certificates or public key hashes in the app itself, thereby foregoing the verification process as described above. Instead, the app verifies a server certificate or CA certificate it received directly against the stored certificate or public key hash.

Why do we need Certificate pinning?

Certificate pinning has gained the most traction on mobile device platforms like Android and iOS as it offers an additional layer of security to communications.

Is Certificate pinning still used?

HPKP got deprecated in 2018 after intents of removing it started in 2017. Almost all browsers no longer support it as attacks against HPKP surfaced. HPKP is being replaced by the reactive Certificate Transparency framework coupled with the Expect-CT header.

Is certificate pinning necessary Android?

Caution: Certificate Pinning is not recommended for Android applications due to the high risk of future server configuration changes, such as changing to another Certificate Authority, rendering the application unable to connect to the server without receiving a client software update.

Should I use SSL pinning?

Why Do You Need SSL Certificate Pinning? SSL pinning allows the application to only trust the valid or pre-defined certificate or Public Key. The application developer uses SSL pinning technique as an additional security layer for application traffic.

What is Certificate pinning in Android?

SSL (Secure socket layer) Certificate Pinning, or pinning for short, is the process of associating a host with its certificate or public key. Once you know a host’s certificate or public key, you pin it to that host.

Why you should delete WhatsApp?

Privacy Versus Profit. The primary reason why I decided to delete WhatsApp is privacy. Back in 2014, WhatsApp co-founder Jan Koum sold his app to Mark Zuckerberg’s Facebook for in or around $16 billion. Koum would stay on at Facebook as a member of the board, before leaving in silence late in 2019.