Search code examples
androidiossecuritysdk

If I build an SDK, is it necessary that I implement certificate pinning?

Most, if not all, articles state that certificate pinning is important for apps. However, there is not much discussion whether it is necessary to implement it if you are creating your SDK and vending it for others to use.

Some questions come to mind

  1. If I add certificate pinning to my SDK, will it interfere with the client's networking implementation? (eg. introduce bugs or crashes)
  2. If do not add certificate pinning and the client integrating my SDK does, will that be enough to guarantee that data sent to my SDK's servers be "safe"? (I would guess not since clients do not know which sources are "safe" from the SDK's standpoint)

I haven't done much SDK develop and am genuinely curious. Thanks in advance!

What I've tried

  • Read up on certificate pinning for apps
  • Implemented certificate pinning for small apps
Solution

  • The very first thing to ask what remote service your SDK is connecting to?

    There are several possible options here:

    1. Your SDK is only the mobile part of the solution you provide and there is only backend integration which client need to implement in his backend.

    In that case I would suggest to leave certificate pinning to the client as he should be responsible for whether app is contacting his trusted backend. If it is done correctly the whole app will be correctly protected.

    1. Your SDK is contacting some remote server which is yours

    In that case you have basically two options:

    • Leave the pinning to the client(by e.g doing nothing or putting some recommendations in your SDK documentation), not recommended as then you don't have control over the safety of your SDK
    • Implement pinning on your side in the SDK itself(recommended one)
    1. Your SDK is contacting some remote service which is public and owned by some other vendor(e.g some AWS service, or Google Service/API)

    In that case you have the same options as in the point 2 but leaving the pinning to the client is less dangerous as these services are using well-known publicly trusted certificates and has other anti-abuse measures(e.g you need to have correct token to communicate with the service and have some account created in their infrastructure etc).

    1. There is also an option(which I think is not applicable here but I've enumerated it just for clarity) that your SDK is purely offline and there is no communication with any remote service.

    Of course in that case there is no need for certificate pinning per se.

    Answering your questions more directly: If like you stated you have your own SDK servers I will opt for implementing with the pinning on SDK side.

    About whether it interfere with the clients certificate pinning it depends on the how you implemented the certificate pinning itself, as there are several methods you can do that.

    There is a brief article on every of the methods above https://www.netguru.com/blog/3-ways-how-to-implement-certificate-pinning-on-android

    I described it from the Android perspective but the above assumptions are true for both mobile platforms(implementation on iOS side may vary from the Android one)