search

capacitor-community / fcm

Enable Firebase Cloud Messaging for Capacitor apps
https://capacitor.ionicframework.com/docs/
MIT License
237 stars 83 forks source link

security vulnerability issue after installing #38

Closed iosdroid closed 1 year ago

iosdroid commented 4 years ago

After install this plugin I do the security scan I will get certificate ssl pinning is missing. How to resolve this

stewones commented 4 years ago

can you please set up a reproducible example? what security scan are you doing?

iosdroid commented 4 years ago

In my app i scan the ipa file for the vulnerability test in the below Quixxi website with this plugin i get the below vulnerability issue. when i try without plugin the issue will gone.

Missing Certificate Pinning Severity High OWASP MASVS 5.4 L2 Filename THREAT An app can further protect itself from communicating with a wrong recipient by a technique known as Certificate Pinning. The general concept is that the client is configured to know the certificate expected to be received from the server. If the certificate presented doesn't match with the assigned one then the client will prevent the session to start RISK If the Certificate Pinning is not implemented, an attacker [MITM - Man In The Middle] can position himself between the client and the real server. If the Certificate Authority is victim of a fraud they can issue an valid certificate to a criminal. Or the user can be induced to add a new trusted certificate authority. In this situation the handshake procedure for the client would occur with the attacker mimicking the server This will cause a different public key to be sent to the client who - thinking to be have received it from the original server - will send back its pre-master secret to start the communication. The MITM will complete the hack sending the pre-master secret to the original server. At this point the client and server are connected in a just apparently-secure way because the MITM has the same pre-master key to decrypt the traffic between the two parties

stewones commented 4 years ago

That's interesting. any idea @dwieeb @priyankpat

jcesarmobile commented 1 year ago

The plugin doesn't create any connection directly, all connections to the FCM servers are done through the FCM SDKs, so if there is a vulnerability it should be fixed by google, not by the plugin (other than keeping dependencies up to date). So if you think it's a problem, you should report it to google.

As far as I know, firebase doesn't support SSL pinning https://github.com/firebase/firebase-ios-sdk/issues/6821