Security Issue in MSAL(do not implement SSL pinning while connecting to https://login.microsoftonline.com/)

[wangyeking]

The following Java or Kotlin classes within the App use the HttpsUrlConnection Android API to connect over HTTPS, but do not implement SSL pinning: com.microsoft.identity.common.internal.net.HttpRequest when connecting to https://login.microsoftonline.com/

The vulnerable classes within the App will accept SSL certificates signed by any Certificate Authority (CA) installed within the device's trust store.As part of a high-profile attack, this could allow an entity in control of a CA private key (such as a government) to perform a man-in-the-

middle attack against any HTTPS traffic initiated by the target classes.Additionally, several trusted Certificate Authorities have been compromised in the past and recently (as described on Google Security's blog) which allowed the attackers to issue malicious but valid SSL certificates for any domain.Lastly, users can be tricked or required (for example per their employer's policies) to install new CA certificates within the device's trust store, further increasing the potential for compromise.

[shoatman]

MSAL does not currently support certificate pinning.

@Om83, @hamiltonha - Let's see if we can dig up the Microsoft guidance for customers who want to leverage certificate pinning when working with Microsoft services including AAD.

[SamC-Apadmi]

Have there been any changes on this?

[SamCosta1]

Was this closed because it's now implemented?

[masztalski]

@SamCosta1 nope - today I was veryfying some calls in app with Charles and turns out that while client api certificate pinning blocks this nicely, any calls to Microsoft servers is plain visible

[Pmr-precure]

We just failed a pentest because of this, what to do? We got SSL pinning on our own APIs, but not for the MSAL