search

datatheorem / TrustKit-Android

Easy SSL pinning validation and reporting for Android.
MIT License
583 stars 87 forks source link

Uploading report fails with: javax.net.ssl.SSLHandshakeException: Pin verification failed #72

Open shenoymukesh opened 4 years ago

shenoymukesh commented 4 years ago

Describe the bug Uploading report would fail with "Pin verification failed" if report-uri has same domain as the domain for which the pinning failed. This is most likely case for an organization.

To Reproduce In the TrustKit sample app, www.google.com is configured with invalid pins. So pinning would fail. If the report-uri is also set to www.google.com, it would fail to upload report with javax.net.ssl.SSLHandshakeException: Pin verification failed. Tested this on Android version 10. This issue should be reproduced on Android version 7 and above.

Expected behavior We should be successfully able to upload reports without applying the pinning.

TrustKit configuration Copy and paste your XML Network Security Policy.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">www.datatheorem.com</domain>
        <!-- Valid pins -->
        <pin-set expiration="2018-01-01">
            <pin digest="SHA-256">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</pin>
            <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin>
        </pin-set>
        <trustkit-config enforcePinning="true" disableDefaultReportUri="true">
            <report-uri>https://overmind.datatheorem.com/trustkit/report</report-uri>
        </trustkit-config>
    </domain-config>
    <domain-config enforcePinning="true">
        <domain includeSubdomains="true">www.google.com</domain>
        <pin-set>
            <!-- Invalid pins -->
            <pin digest="SHA-256">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</pin>
            <pin digest="SHA-256">BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=</pin>
        </pin-set>
        <trustkit-config enforcePinning="true" disableDefaultReportUri="true">
            <report-uri>https://www.google.com</report-uri>
        </trustkit-config>
    </domain-config>
    <domain-config enforcePinning="false">
        <domain includeSubdomains="true">localhost</domain>
        <trustkit-config
          enforcePinning="false"
          disableDefaultReportUri="true" />
    </domain-config>
</network-security-config>

App details: TrustKit Demo app Tested this on Android version 10. This issue should be reproduced on Android version 7 and above.

Additional context Note that, I tested failure with invalid pin approach. I suppose results would be similar for MITM attack as well? Is it expected to apply pining for report upload as well? If so wouldn't it obviously fail? May be I am missing something here. Please let me know. Thanks.