ํ”ผ๋“œ๋กœ ๋Œ์•„๊ฐ€๊ธฐ
๐Ÿ” SSL Pinning in Mobile Apps: Android & iOS (Practical Guide + Trade-offs) - Part 1
Dev.toDev.to
Security

MITM ๊ณต๊ฒฉ ์ฐจ๋‹จ์„ ์œ„ํ•œ Certificate Pinning ๊ธฐ๋ฐ˜ Transport Layer ๋ณด์•ˆ ๊ฐ•ํ™”

๐Ÿ” SSL Pinning in Mobile Apps: Android & iOS (Practical Guide + Trade-offs) - Part 1

Armando Picรณn2026๋…„ 5์›” 4์ผ2๋ถ„intermediate

AI ์š”์•ฝ

Context

ํ‘œ์ค€ HTTPS ํ™˜๊ฒฝ์—์„œ CA(Certificate Authority) ๊ธฐ๋ฐ˜ ์‹ ๋ขฐ ๋ชจ๋ธ์— ์˜์กดํ•จ์— ๋”ฐ๋ฅธ ์ทจ์•ฝ์  ๋ฐœ์ƒ. ๊ณต๊ฒฉ์ž๊ฐ€ ์•…์„ฑ ์ธ์ฆ์„œ๋ฅผ ์„ค์น˜ํ•˜์—ฌ ํŠธ๋ž˜ํ”ฝ์„ ๊ฐ€๋กœ์ฑ„๋Š” MITM(Man-in-the-Middle) ๊ณต๊ฒฉ ๊ฐ€๋Šฅ์„ฑ์— ๋”ฐ๋ฅธ ๋ณด์•ˆ ์œ„ํ˜‘ ์ƒ์กด.

Technical Solution

  • ๋ชจ๋“  CA ์‹ ๋ขฐ ๋ฐฉ์‹์—์„œ ํƒˆํ”ผํ•˜์—ฌ ํŠน์ • Public Key๋งŒ ํ—ˆ์šฉํ•˜๋Š” White-list ๋ฐฉ์‹์˜ ์‹ ๋ขฐ ๋ชจ๋ธ ์„ค๊ณ„
  • OkHttp์˜ CertificatePinner๋ฅผ ํ™œ์šฉํ•œ ๋„๋ฉ”์ธ๋ณ„ SHA-256 ํ•ด์‹œ ๊ฐ’ ๊ฒ€์ฆ ๋กœ์ง ๊ตฌํ˜„
  • OpenSSL์„ ํ†ตํ•œ ์„œ๋ฒ„ Public Key ์ถ”์ถœ ๋ฐ Base64 ์ธ์ฝ”๋”ฉ ๊ธฐ๋ฐ˜์˜ Pinning ๊ฐ’ ์ƒ์„ฑ
  • ์ธ์ฆ์„œ ์ „์ฒด๊ฐ€ ์•„๋‹Œ Public Key๋ฅผ Pinning ํ•˜์—ฌ ์ธ์ฆ์„œ ๊ฐฑ์‹  ์‹œ์˜ ์œ ์—ฐ์„ฑ์„ ํ™•๋ณดํ•œ ์„ค๊ณ„
  • Transport Layer์˜ ๋ณด์•ˆ ๊ฐ•ํ™”๋ฅผ ํ†ตํ•ด ์„œ๋ฒ„-ํด๋ผ์ด์–ธํŠธ ๊ฐ„ ์ƒํ˜ธ ์‹ ๋ขฐ ์ฒด๊ณ„ ๊ตฌ์ถ•

์‹ค์ฒœ ํฌ์ธํŠธ

1. ๋‹จ์ˆœ ์ธ์ฆ์„œ ํŒŒ์ผ Pinning๋ณด๋‹ค ๊ฐฑ์‹  ์ฃผ๊ธฐ๊ฐ€ ๊ธด Public Key Pinning ์ฑ„ํƒ ๊ฒ€ํ† 

2. ์ธ์ฆ์„œ ๋งŒ๋ฃŒ ๋ฐ ๊ต์ฒด ์‹œ ์•ฑ ์—…๋ฐ์ดํŠธ ์—†์ด ๋Œ€์‘ ๊ฐ€๋Šฅํ•œ Rotation ์ „๋žต ์ˆ˜๋ฆฝ

3. ๋ณด์•ˆ ์š”๊ตฌ์‚ฌํ•ญ๊ณผ ์šด์˜ ๋ณต์žก๋„ ์‚ฌ์ด์˜ Trade-off ๋ถ„์„์„ ํ†ตํ•œ ๋„์ž… ์—ฌ๋ถ€ ๊ฒฐ์ •

4. OkHttp ๋“ฑ ๊ฒ€์ฆ๋œ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ํ†ตํ•œ ํ‘œ์ค€ ๊ตฌํ˜„ ๋ฐฉ์‹ ์ ์šฉ

ํƒœ๊ทธ

#SSL Pinning#MitM Attack#OkHttp#TLS#Public Key Pinning
์›๋ฌธ ์ฝ๊ธฐ