Describe the bug
Uploading report would fail with "Pin verification failed" if report-uri has same domain as the domain for which the pinning failed. This is most likely case for an organization.
To Reproduce
In the TrustKit sample app, www.google.com is configured with invalid pins. So pinning would fail. If the report-uri is also set to www.google.com, it would fail to upload report with javax.net.ssl.SSLHandshakeException: Pin verification failed.
Tested this on Android version 10. This issue should be reproduced on Android version 7 and above.
Expected behavior
We should be successfully able to upload reports without applying the pinning.
TrustKit configuration
Copy and paste your XML Network Security Policy.
App details:
TrustKit Demo app
Tested this on Android version 10. This issue should be reproduced on Android version 7 and above.
Additional context
Note that, I tested failure with invalid pin approach. I suppose results would be similar for MITM attack as well?
Is it expected to apply pining for report upload as well? If so wouldn't it obviously fail?
May be I am missing something here. Please let me know.
Thanks.
Describe the bug Uploading report would fail with "Pin verification failed" if
report-uri
has same domain as the domain for which the pinning failed. This is most likely case for an organization.To Reproduce In the TrustKit sample app,
www.google.com
is configured with invalid pins. So pinning would fail. If thereport-uri
is also set towww.google.com
, it would fail to upload report withjavax.net.ssl.SSLHandshakeException: Pin verification failed
. Tested this on Android version 10. This issue should be reproduced on Android version 7 and above.Expected behavior We should be successfully able to upload reports without applying the pinning.
TrustKit configuration Copy and paste your XML Network Security Policy.
App details: TrustKit Demo app Tested this on Android version 10. This issue should be reproduced on Android version 7 and above.
Additional context Note that, I tested failure with invalid pin approach. I suppose results would be similar for MITM attack as well? Is it expected to apply pining for report upload as well? If so wouldn't it obviously fail? May be I am missing something here. Please let me know. Thanks.