The app doesn't implement certificate pinning as a hardening measure for some domains.
Certificate pinning (AKA public key pinning) is a hardening measure on top of the standard TLS certificate validation. Certificate pinning is typically used by high-risk apps. According to their threat model, high risk apps need to protect against Man-in-the-middle (MITM) attacks in scenarios where a Certificate Authority (CA) could be compromised or any malicious certificates were installed to the user's device either by accident or a targeted social engineering attack.
Instead of trusting all CAs installed to the system certificate store, an app can use certificate pinning to restrict the set of certificates they trust. All other connections will be terminated immediately.
Steps to Reproduce
This test reverse engineers the app to observe its method calls for implementation of certificate pinning.
Business Impact
Failing to implement certificate pinning can expose the app to decryption of network communications via Man-in-the-Middle attacks by a compromised Certificate Authority or user device.
Remediation Resources
Domain Name: hostname of the domain
Pinned?: indicates wether the domain was pinned
Pinning Implementation: name of the software library or module used to pin the domain
Runtime Attempt: indicates if there were any pinning attempts to this domain during the current execution of the app
Carefully inspect all domains from the evidence table that display false in the "Pinned?" column. Note that due to the diverse nature of pinning implementations, this test cannot detect all possible variants. If your app is already pinning some of the reported domains, you can safely dismiss the finding for that domain.
Certificate pinning should be used exclusively as a hardening measure for high-risk apps. If your app requires certificate pinning (e.g., compliance with the OWASP MASVS or other standards or regulations), there are a few important considerations:
Pin only endpoints under your control. Also, be sure to include backup keys (AKA backup pins) and have a proper app update strategy. If these measures are not ensured, your app may stop functioning the next time the certificate is replaced. Rectifying this would require you to deploy an update via the Play Store, which could result in extended downtime for your users.
Instead of pinning a certificate, pin the public key- more specifically the SubjectPublicKeyInfo- of the certificate, which typically stays the same even if the certificate is updated.
Finding Description
The app doesn't implement certificate pinning as a hardening measure for some domains.
Certificate pinning (AKA public key pinning) is a hardening measure on top of the standard TLS certificate validation. Certificate pinning is typically used by high-risk apps. According to their threat model, high risk apps need to protect against Man-in-the-middle (MITM) attacks in scenarios where a Certificate Authority (CA) could be compromised or any malicious certificates were installed to the user's device either by accident or a targeted social engineering attack.
Instead of trusting all CAs installed to the system certificate store, an app can use certificate pinning to restrict the set of certificates they trust. All other connections will be terminated immediately.
Steps to Reproduce
This test reverse engineers the app to observe its method calls for implementation of certificate pinning.
Business Impact
Failing to implement certificate pinning can expose the app to decryption of network communications via Man-in-the-Middle attacks by a compromised Certificate Authority or user device.
Remediation Resources
Carefully inspect all domains from the evidence table that display
false
in the "Pinned?" column. Note that due to the diverse nature of pinning implementations, this test cannot detect all possible variants. If your app is already pinning some of the reported domains, you can safely dismiss the finding for that domain.Certificate pinning should be used exclusively as a hardening measure for high-risk apps. If your app requires certificate pinning (e.g., compliance with the OWASP MASVS or other standards or regulations), there are a few important considerations:
SubjectPublicKeyInfo
- of the certificate, which typically stays the same even if the certificate is updated.Risk and Regulatory Information
Severity: info
Policy Category: Informational
Application
See more detail in the NowSecure Report
Evidence
#### Pinned Domains | Domain Name | Pinned? | Pinning Implementation | Runtime Attempt | |---|---|---|---| | fbcdn.net | true | network_security_config | false | | fbsbx.com | true | network_security_config | false | | oculus.com | true | network_security_config | false | ... and 93 more