Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port mastg test 0022 (by @guardsquare) #3035

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions Document/0x05g-Testing-Network-Communication.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,36 @@ If at least one of the pinned digests matches, the certificate chain will be con
</network-security-config>
```

!!! note "Expiration dates"
If you [set an expiration date](https://developer.android.com/privacy-and-security/security-config#CertificatePinning), make sure to update your application in time. Otherwise pinning will **not** be performed at all after the configured date.

!!! warning "Technologies not using Network Security Configuration"
If your application uses low level networking APIs or SDKs like Flutter, the Network Security Configuration might not be used by default. In those cases you need to enable certificate pinning specifically for the used technology.

### Certificate pinning without Android Network Security Configuration

If your application targets an Android version lower than Android 7.0 Nougat (SDK version 24), the Android Security Configuration is not available, and you need to implement certificate pinning manually.

!!! warning "Implementing Certificate Pinning Manually"
Implementing certificate pinning manually has a high risk of adding functionality to your application that makes the app even less secure. If you are adding this manually take extreme care of implementing this correctly.

Applications that use third-party networking libraries may utilize the libraries' certificate pinning functionality. For example, [okhttp](https://square.github.io/okhttp/features/https/#certificate-pinning-kt-java) can be set up with the `CertificatePinner` as follows:

```java
val client = OkHttpClient.Builder()
.certificatePinner(
CertificatePinner.Builder()
.add("publicobject.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")
.build())
.build()
```

#### Hybrid Applications

Hybrid applications might support certificate pinning through plugins.

For example, applications based on Cordova do not support Certificate Pinning natively, so the plugin [PhoneGap SSL Certificate Checker](https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin) can be used.

### Security Provider

Android relies on a [security provider](https://developer.android.com/training/articles/security-gms-provider.html "Update your security provider to protect against SSL exploits") to provide SSL/TLS-based connections. The problem with this kind of security provider (one example is [OpenSSL](https://www.openssl.org/news/vulnerabilities.html "OpenSSL Vulnerabilities")), which comes with the device, is that it often has bugs and/or vulnerabilities.
Expand Down
38 changes: 38 additions & 0 deletions tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x22-1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
title: Missing Certificate Pinning in Code
platform: android
id: MASTG-TEST-0x22-1
type: [static]
weakness: MASWE-0047
---

## Overview

Apps can configure certificate pinning using the [Network Security Configuration]("../../../Document/0x05g-Testing-Network-Communication.md#certificate-pinning"). For each domain, one or multiple digests can be pinned.

Certificate pinning can also be done manually in the code. Depending on the used technologies, this can be done for example by:

- Pinning a certificate with a custom `TrustManager`,
- configuring the used third party networking libraries to pin certificates,
- use plugins to achieve certificate pinning for hybrid apps.

Chapter [Certificate pinning without Android Network Security Configuration]("../../../Document/0x05g-Testing-Network-Communication.md#certificate-pinning-without-android-network-security-configuration") explains in more detail how this can be achieved in the app.

The goal of this test is to check if any certificate pinning exists.

!!! note "Limitations"
Since there are many different ways to achieve certificate pinning in the code, checking statically if the application performs pinning might not reveal all such locations. To make sure certificates are pinned for all relevant connections, additional dynamic analysis can be performed.

## Steps

1. Reverse engineer the app (@MASTG-TECH-0017).
2. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and all domains which have a pinned certificate.
3. Run a static analysis tool such as @MASTG-TOOL-0011 or @MASTG-TOOL-0018 on the code and look for APIs or configurations performing certificate pinning (see above). Extract all domains for which the certificates are pinned.

## Observation

The output should contain a list of domains which enable certificate pinning.

## Evaluation

The test case fails if any relevant domain does not enable certificate pinning.
26 changes: 26 additions & 0 deletions tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x22-2.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
title: Expired Certificate Pins
platform: android
id: MASTG-TEST-0x22-2
type: [static]
weakness: MASWE-0047
---

## Overview

Apps can configure expiration dates for pinned certificates in the [Network Security Configuration]("../../../Document/0x05g-Testing-Network-Communication.md#certificate-pinning"). After the expiration date the pin is not used any more, and all installed CAs are trusted for that domain.

The goal of this test is to check if any expiration date is in the past.

## Steps

1. Reverse engineer the app (@MASTG-TECH-0017).
2. Inspect the AndroidManifest.xml, and check if a `networkSecurityConfig` is set in the `<application>` tag. If yes, inspect the referenced file, and extract the expiration dates for every domain.

## Observation

The output should contain a list of expiration dates for pinned certificates.

## Evaluation

The test case fails if any expiration date is in the past.
29 changes: 29 additions & 0 deletions tests-beta/android/MASVS-NETWORK/MASTG-TEST-0x22-3.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
title: Missing Certificate Pinning in Network Traffic
platform: network
id: MASTG-TEST-0x22-3
type: [static]
weakness: MASWE-0047
---

## Overview

There are various ways how [certificate pinning]("../../../Document/0x05g-Testing-Network-Communication.md#certificate-pinning-without-android-network-security-configuration") can be done for an application.

Since statically finding all of the locations where certificate pinning is performed might not be feasible, this test case uses dynamic analysis to observe all connections the app makes.

The goal of this test case is to dynamically check if the connection to a server can be intercepted using a [Man-in-the-Middle attack]("../../../Document/0x04f-Testing-Network-Communication.md#mitm-attack). If this is possible, it means the certificate is not pinned correctly or at all.

## Steps

1. Set up an intercepting proxy, for example @MASTG-TOOL-0077 or @MASTG-TOOL-0097.
2. Install the application on a device connected to that proxy, and intercept the communication.
3. Extract all domains which were intercepted.

## Observation

The output should contain a list domains, for which the interception was successful.

## Evaluation

The test case fails if any relevant domain was intercepted.
3 changes: 3 additions & 0 deletions tests/android/MASVS-NETWORK/MASTG-TEST-0022.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ platform: android
title: Testing Custom Certificate Stores and Certificate Pinning
masvs_v1_levels:
- L2
status: deprecated
covered_by: [MASTG-TEST-0x22-1,MASTG-TEST-0x22-2,MASTG-TEST-0x22-3]
deprecation_note: New version available in MASTG V2
---

## Overview
Expand Down