Android missing certificate pinning¶
ID: java/android/missing-certificate-pinning Kind: problem Security severity: 5.9 Severity: warning Precision: medium Tags: - security - external/cwe/cwe-295 Query suites: - java-security-extended.qls - java-security-and-quality.qls Click to see the query in the CodeQL repository
Certificate pinning is the practice of only trusting a specific set of SSL certificates, rather than those that the device trusts by default. In Android applications, it is reccomended to use certificate pinning when communicating over the network, in order to minimize the risk of machine-in-the-middle attacks from a compromised CA.
Recommendation¶
The easiest way to implement certificate pinning is to declare your pins in a network-security-config XML file. This will automatically provide certificate pinning for any network connection made by the app.
Another way to implement certificate pinning is to use the `CertificatePinner` class from the `okhttp` library.
A final way to implement certificate pinning is to use a TrustManager, initialized from a KeyStore loaded with only the necessary certificates.
Example¶
In the first (bad) case below, a network call is performed with no certificate pinning implemented. The other (good) cases demonstrate the different ways to implement certificate pinning.
// BAD - By default, this network call does not use certificate pinning URLConnection conn = new URL("https://example.com").openConnection(); <!-- GOOD: Certificate pinning implemented via a Network Security Config file --> <!-- In AndroidManifest.xml --> <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.app"> <application android:networkSecurityConfig="@xml/NetworkSecurityConfig"> ... </application> </manifest> <!-- In res/xml/NetworkSecurityConfig.xml --> <network-security-config> <domain-config> <domain>good.example.com</domain> <pin-set expiration="2038/1/19"> <pin digest="SHA-256">...</pin> </pin-set> </domain-config> </network-security-config> // GOOD: Certificate pinning implemented via okhttp3.CertificatePinner CertificatePinner certificatePinner = new CertificatePinner.Builder() .add("example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .build(); OkHttpClient client = new OkHttpClient.Builder() .certificatePinner(certificatePinner) .build(); client.newCall(new Request.Builder().url("https://example.com").build()).execute(); // GOOD: Certificate pinning implemented via a TrustManager KeyStore keyStore = KeyStore.getInstance("BKS"); keyStore.load(resources.openRawResource(R.raw.cert), null); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(keyStore); SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, tmf.getTrustManagers(), null); URL url = new URL("http://www.example.com/"); HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); urlConnection.setSSLSocketFactory(sslContext.getSocketFactory()); References¶
OWASP Mobile Security: Testing Custom Certificate Stores and Certificate Pinning (MSTG-NETWORK-4).
Android Developers: Network security configuration.
OkHttp: CertificatePinner.
Common Weakness Enumeration: CWE-295.