Android - Security SSL

[narayan8291]

We can try to incorporate test cases that can be used to identify issues with SSL/TLS in Android apps. Reference Doc: https://developer.android.com/training/articles/security-ssl

1. Loading custom certificates into the Android KeyStore. This is usually done to accept self-signed certs or certs signed using unknown CA. Regex Used: .keyStore.setCertificateEntry.

2. HostName Verifier. Failing to check the hostname for a certificate. Regex: *public boolean verify(.String.SSLSession.)**

NOTE: ===> This check needs to be done on the entire function and not just on the line of code. The function content has to be chunked out and matched with .return true;.

3. Overriding SSLCheck in WebViews This is already a part of owasp_static_android.txt

4. Overriding SSL Check Android apps can override SSL checks thus suppressing any SSL validation error. Regex: *checkServerTrusted.{}**

NOTE: ====> This check needs to be done on the entire function and not just on the line of code. The function content has to be chunked out and matched with an empty string.

5. SSLSocket According to the official Android doc,

Caution: SSLSocket does not perform hostname verification. It is up to your app to do its own hostname verification, preferably by calling getDefaultHostnameVerifier() with the expected hostname. Further beware that HostnameVerifier.verify() doesn't throw an exception on error but instead returns a boolean result that you must explicitly check.

Regex: .SSLSocket.createSocket(.*

[vincentcox]

Thanks for the detailed explanation! I will add them under the OWASP rules. Will keep you updated on the progress!