Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (or why 10M bank users were vulnerable)

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Colleges, School and Institutes


Certificate verification is a crucial stage in the establishment of a TLS connection. A common security flaw in TLS implementations is the lack of certificate hostname verification but, in general, this is easy to detect. In security-sensitive applications, the usage of certificate pinning is on the rise. This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks. Dynamic (black-box) detection of this vulnerability would typically require the tester to own a high
security certificate from the same issuer (and often same intermediate CA) as the one used by the app. We present Spinner, a new tool for black-box testing for this vulnerability at scale that does not require purchasing any certificates. By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether the
hostname check is correctly done, even in the presence of certificate pinning. We use Spinner to analyse 400 security-sensitive Android and iPhone apps. We found that 9 apps had this flaw, including two of the largest banks in the world: Bank of America and HSBC. We also found that TunnelBear, one of the most popular VPN apps was also vulnerable. These apps have a joint user base of tens of millions of users.


Original languageEnglish
Title of host publicationProceedings of 33rd Annual Computer Security Applications Conference (ACSAC 2017)
Publication statusPublished - 4 Dec 2017
Event33rd Annual Computer Security Applications Conference (ACSAC 2017) - Orlando, Florida, United States
Duration: 4 Dec 20178 Dec 2017


Conference33rd Annual Computer Security Applications Conference (ACSAC 2017)
CountryUnited States
CityOrlando, Florida