search

datatheorem / TrustKit-Android

Easy SSL pinning validation and reporting for Android.
MIT License
585 stars 87 forks source link

Implementation fails to enforce pinning (React Native) #91

Open gabimoncha opened 3 years ago

gabimoncha commented 3 years ago

Describe the bug A clear and concise description of what the bug is.

I've implemented the library as is described in the documentation, without any success in enforcing the certificate pinning.

To Reproduce Steps to reproduce the behavior.

res/xml/network_security_config.xml

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">www.example.com</domain>
        <pin-set>
            <-- Invalid certificates -->
            <pin digest="SHA-256">AAAAeJFIEmx2Y01oXXXXXXXXXXmmSFZhBXXXXXXXXXX=</pin>
            <pin digest="SHA-256">CCCCxtmctlq2Y73orFOOXXXXXXXXXXZhBXXXXXXXXXX=</pin>
        </pin-set>
    </domain-config>
    <domain-config cleartextTrafficPermitted="true">
        <-- React Native config for debugging the app in Debug mode. I have tried without it and it still fails -->
        <domain includeSubdomains="true">10.0.2.2</domain>
        <domain includeSubdomains="true">localhost</domain>
    </domain-config>
</network-security-config>

MainApplication.java

...
  @Override
  public void onCreate() {
    super.onCreate();
    // Using the default path - res/xml/network_security_config.xml
    TrustKit.initializeWithNetworkSecurityConfiguration(this);

    String serverHostname = null;
    try {
        URL url = new URL("https://www.example.com");
        serverHostname = url.getHost();

        // HttpsUrlConnection
        HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
        connection.setSSLSocketFactory(TrustKit.getInstance().getSSLSocketFactory(serverHostname));
    } catch (MalformedURLException e) {
        System.err.println("MalformedURLException when declaring URL " + e);
    } catch (IOException e) {
        System.err.println("IOException when opening connection " + e);
    }

    // OkHttp 3
    // OkHttpClient client = OkHttpClientProvider.createClientBuilder().sslSocketFactory(TrustKit.getInstance().getSSLSocketFactory(serverHostname),TrustKit.getInstance().getTrustManager(serverHostname)).build();

    OkHttpClient client = new OkHttpClient().newBuilder().sslSocketFactory(TrustKit.getInstance().getSSLSocketFactory(serverHostname),TrustKit.getInstance().getTrustManager(serverHostname)).build();

    SoLoader.init(this, /* native exopackage */ false);
    initializeFlipper(this, getReactNativeHost().getReactInstanceManager());
  }

useValidCertificate.js which is called once the Navigation screens have mounted

export default function useValidCertificate() {
  useEffect(() => {
    (async () => {
      fetch(`https://www.example.com/account/ping`)
        .then(() => {
          console.log('Valid certificate, connected.');
        })
        .catch(() => {
          resetRoot(SECURITY_SCREENS.InvalidCertificate);
        });
    })();
  }, []);
}

Expected behavior A clear and concise description of what you expected to happen.

The app should navigate to InvalidCertificate screen as it does when using TrustKit library for iOS. Instead the app is behaving as if the certificate is still valid.

TrustKit configuration Copy and paste your XML Network Security Policy.

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">www.example.com</domain>
        <pin-set>
            <-- Invalid certificates -->
            <pin digest="SHA-256">AAAAeJFIEmx2Y01oXXXXXXXXXXmmSFZhBXXXXXXXXXX=</pin>
            <pin digest="SHA-256">CCCCxtmctlq2Y73orFOOXXXXXXXXXXZhBXXXXXXXXXX=</pin>
        </pin-set>
    </domain-config>
    <domain-config cleartextTrafficPermitted="true">
        <-- React Native config for debugging the app in Debug mode. I have tried without it and it still fails -->
        <domain includeSubdomains="true">10.0.2.2</domain>
        <domain includeSubdomains="true">localhost</domain>
    </domain-config>
</network-security-config>

App details:

Additional context Add any other context about the problem here.

nabla-c0d3 commented 3 years ago

Hello,

Unfortunately React Native is not supported. The call to fetch() does not go through TrustKit's validation code which is why the app is behaving as if the certificate is still valid.

Your app would have to instead use the HttpsURLConnection or the OkHttpClient objects to implement pinning validation.

princealirehman1 commented 2 years ago

@gabimoncha Are you able to achieve this on react-native ?

Moustafa-mahmaed commented 1 year ago

I solved this problem after I took more than 4 days with me You can apply the following steps and they will help you solve the problem 1- put trustKit in build.gradle implementation 'com.datatheorem.android.trustkit:trustkit:1.1.3' 2-put onCreate in mainActivity.java @Override protected void onCreate(Bundle savedInstanceState) { TrustKit.initializeWithNetworkSecurityConfiguration(this); super.onCreate(savedInstanceState); }

3-create xml folder inside res folder 4-create network_security_config.xml

5-pass this code inside network_security_config.xml `<?xml version="1.0" encoding="utf-8" ?>

localhost 10.0.2.2 10.0.3.2 "replace url domain here"

` 6-dont forget add raw folder inside res folder 7-put certificate name as ca without extension

hope be helpful

waohwaohwaoh commented 7 months ago

I solved this problem after I took more than 4 days with me You can apply the following steps and they will help you solve the problem 1- put trustKit in build.gradle implementation 'com.datatheorem.android.trustkit:trustkit:1.1.3' 2-put onCreate in mainActivity.java @Override protected void onCreate(Bundle savedInstanceState) { TrustKit.initializeWithNetworkSecurityConfiguration(this); super.onCreate(savedInstanceState); }

3-create xml folder inside res folder 4-create network_security_config.xml

5-pass this code inside network_security_config.xml <?xml version="1.0" encoding="utf-8" ?> <network-security-config xmlns:tools="http://schemas.android.com/tools"> <domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="false">localhost</domain> <domain includeSubdomains="false">10.0.2.2</domain> <domain includeSubdomains="false">10.0.3.2</domain> <trustkit-config enforcePinning="false" /> </domain-config> <domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">"replace url domain here"</domain> <trust-anchors> <certificates src="@raw/ca" /> <certificates src="system" /> </trust-anchors> <trustkit-config enforcePinning="true" /> </domain-config> </network-security-config> 6-dont forget add raw folder inside res folder 7-put certificate name as ca without extension

hope be helpful

you are saved my day, thx