Mobile Apps Secured With Data Theorem’s TLS Pinning Protect Data From Eavesdropping Better Than Web Browser App Equivalents

Data Theorem, Inc., a leading provider of modern application security, announced today that mobile applications equipped with TrustKit, Data Theorem’s Transport Layer Security (TLS) pinning library, protect the transmission of data better than web applications. The new level of mobile app security ensures user privacy, maintains data integrity, and blocks unknown attackers.

TLS pinning stops eavesdropping and HTTPS man-in-the-middle (MiTM) attacks. Accessing medical records or bank statements is safer through mobile apps with TLS pinning than through a hospital or banking website via a web browser. While TLS pinning has existed as a concept, Data Theorem’s TrustKit, a free open-source security library, is the industry’s first solution to significantly ease the equipping of mobile apps with TLS pinning. TrustKit delivers protection for data transmission in modern apps superior to security in web browser applications.

“TLS pinning ensures that mobile apps are less likely to be vulnerable to certificate attacks – which ultimately can enable man-in-the-middle attacks and eavesdropping,” said Professor Dan Boneh, head of the Stanford University Applied Cryptography Group and co-director the Stanford Computer Security Lab. “It is particularly valuable when connecting phones to a mobile hot spot or to a hotel Wi-Fi where you have little control over how your data is routed. It is also important when connecting in less stable countries where you might be worried about the certificate infrastructure.”

TrustKit has a growing community of thousands of application developers, allowing it to further “anti-eavesdropping” as a new standard in mobile app security. Data Theorem recently announced that TrustKit has identified more than 100 million eavesdropping attempts on iOS and Android applications, where apps in active mode have blocked 100 percent of those attempts.

TLS pinning is a security capability to prevent active eavesdropping (MiTM). TLS Pinning ensures the client checks the server-side certificate against a known copy of that certificate before executing any sensitive network communication. Browser vendors have largely moved away from pinning since Web browser pinning (aka HPKP) required too much effort for site operators to maintain properly, and it could not be used against all other sites. The ability to update certificates quickly on mobile platforms is far better than with desktop web browsers.

“Thanks to the effort of the TrustKit community, customers are developing mobile applications that are more secure than their web browser equivalents,” said Alban Diquet, Data Theorem Head of Engineering and author of TrustKit. “TrustKit is the industry’s first solution to offer mobile app developers an easy-to-use TLS pinning SDK to encrypt network communication for mobile apps. One of the benefits of TLS pinning on mobile is actively stopping threats to organizations that are commonly introduced by mobile device spyware and compromised Certificate Authorities (CA).”

While the TLS pinning concept for mobile apps is well known, it has been very difficult and time-consuming to implement (TLS pinning in mobile apps requires both significant operational and code-level changes). TrustKit facilitates code-level implementation in a matter of minutes by providing a “drag and drop” TLS public key pinning library. Whenever an eavesdropping attempt occurs, the TrustKit library within the app sends a notification report back to Data Theorem for the delivery of rich analytics, visualizations, and alerts of malicious attacks and potential downtime.

Download and Availability

Data Theorem’s TrustKit is available free for open source developers and users. For more information, see: https://analytics.datatheorem.com. To download the developer SDK, see: https://github.com/datatheorem/TrustKit.