search

datatheorem / TrustKit-Android

Easy SSL pinning validation and reporting for Android.
MIT License
584 stars 87 forks source link

Domain exception to be made on local IP address 10.0.2.2 #49

Closed MaRuifeng closed 5 years ago

MaRuifeng commented 5 years ago

Describe the bug From React Native version 0.58 onwards, with Android API version 28, no clear text traffic is allowed by default. But currently the React Native packager and debugger connects to the device or emulator via HTTP taking either localhost or 10.0.0.2. These values are hardcoded in RN's codebase.

We tried to make an exception to them by putting below config block in the network_security_config.xml file which is further referenced in the AndroidManifest.xml file. 

<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="false">localhost</domain>
    <domain includeSubdomains="false">10.0.2.2</domain>
    <domain includeSubdomains="false">10.0.3.2</domain>
    <trustkit-config enforcePinning="false"/>
</domain-config>

This SO entry explains this approach in detail.

But this config is not acknowledge by the TrustKit module with below exception, hence causing the app to crash upon launch. 

03-02 16:18:56.826 19455 19455 E AndroidRuntime: java.lang.RuntimeException: Unable to create application ***.***.MainApplication: com.datatheorem.android.trustkit.config.ConfigurationException: Tried to pin an invalid domain: 10.0.3.2
...
03-02 16:18:56.826 19455 19455 E AndroidRuntime: Caused by: com.datatheorem.android.trustkit.config.ConfigurationException: Tried to pin an invalid domain: 10.0.3.2
03-02 16:18:56.826 19455 19455 E AndroidRuntime:    at com.datatheorem.android.trustkit.config.DomainPinningPolicy.<init>(DomainPinningPolicy.java:48)

This problem is very similar to #25 for which only localhost was exempted.

To Reproduce Put above XML config block for clear text traffic in an RN (version >= 0.58) app with TrustKit module installed, run react-native run-android to install and launch it in an Android emulator. The app will crash upon launch and the above exception messages can be read via logcat.

Expected behavior Certain local IP addresses like 10.0.2.2 used by the RN packager and debugger should be considered as valid domain.

TrustKit configuration

<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="false">localhost</domain>
    <domain includeSubdomains="false">10.0.2.2</domain>
    <domain includeSubdomains="false">10.0.3.2</domain>
    <trustkit-config enforcePinning="false"/>
</domain-config>

App details:

nabla-c0d3 commented 5 years ago

The next release will ignore domain-config entries that don't have a pin-set (ie. entries that are not configuring pinning).

nabla-c0d3 commented 5 years ago

Released with v1.1.1.

MaRuifeng commented 5 years ago

The fix seemed causing another problem as documented in #53 .