Something I’ve been confused about - Is certificat...
# androids
spierce7
01/14/2022, 7:28 PMSomething I’ve been confused about - Is certificate pinning still a best practice on Mobile? The web community has basically stopped the practice completely, and I always hate having to deal with the certificate upgrades every year or 2. Is there a better way that I’m just not informed of yet?
j
Joakim Forslund
01/14/2022, 8:13 PMI'll give you my few cents. To counter-act certificate pinning, all you need to do is basically root the phone and install magisk and add a plugin that trusts user certificates and then install something like burp or any other proxy. All of a sudden you can inspect the traffic sent anyhow.
Joakim Forslund
01/14/2022, 8:13 PMThere is also specific tools like Frida that can intercept all java calls to the actual ceritificate pinning method and just circumvent it on rooted phones.
Joakim Forslund
01/14/2022, 8:14 PMSo who and what are you trying to protect and against whom, should always be the question
e
ephemient
01/14/2022, 8:18 PMweb has effectively moved to relying on CT instead of pinning
ephemient
01/14/2022, 8:21 PMon native android, the platform doesn't really help with verifying SCTs, and pinning in your app isn't as nearly disastrous as web because the update mechanism (play store) will still work even if your pin goes awry
ephemient
01/14/2022, 8:22 PMstill, (as Joakim says) you should consider what you're trying to achieve
d
Daniel B Duval
01/14/2022, 8:39 PMIf you’re using the network config xml to pin by sha digest, I wouldn’t go that route.
We only use the config for non-prod builds and that’s since some pre-prod environments use self signed certs where the CA is our own local and not one in a global CA.
c
Colton Idle
01/14/2022, 9:55 PMThis isn't something for an android dev to decide really. It's an operational overhead that your sec team should accept. if you're a solo dev or something I would say it's not worth it. This also isn't really kotlin related, so maybe 😶
JesseWilson had a nice comment about this thing in the android-dev subreddit a few years ago. You can probably find it by using reddit comment search for "pinning" from user swankjesse (i think thats his reddit handle)
Colton Idle
01/14/2022, 9:55 PMif you can't find it and care to see his opinion, i can try to find it when im back home
e
Emanuel Moecklin
01/14/2022, 10:45 PMthe official documentation doesn't recommend certificate pinning: https://developer.android.com/training/articles/security-ssl#Pinning
Emanuel Moecklin
01/14/2022, 10:51 PMAlthough I don't think it's easy to get around certificate pinning if the app is hardened properly in which case it would detect a jail broken / rooted device and detect Frida toolkits and simply refuse to start. Of course no protection is 100% secure but you can make it hard enough for hackers to make them pick easier targets. In one of our projects we did that hardening and put some white hat hackers to work. They were not able to break through the protection.
j
Joakim Forslund
01/14/2022, 10:55 PMOh believe me, it is that simple.
Joakim Forslund
01/14/2022, 10:56 PMNo rooted devices is secure.
Joakim Forslund
01/14/2022, 10:56 PMTake that to heart.
e
Emanuel Moecklin
01/14/2022, 10:57 PMThe app won't run on a rooted device
🤡 1
Emanuel Moecklin
01/14/2022, 11:04 PMAlso pinning is meant to prevent mitm attacks, I don't want to do a mitm attack for my own rooted device but someone else's device which is likely not rooted.
d
Daniel B Duval
01/14/2022, 11:53 PMI’d hope that the security team and the engineering team would be provided the same voice in this decision. There’s arguably more risk for the android engineering team to take on that would be introduced security wise.
To start with, the developer docs do not recommend pinning for a very good reason as the SHA will eventually be replaced and you will render clients unusable.
Yes, you can plan for an update but many organizations rely on tools like Venafi that will alert the teams that mange SSL certs on servers too late for you to make a timely update to your app. Other organizations like to issue certs at a pace that will not be tenable for pinning.
When either of these become a problem + someone notices that the docs don’t recommend pinning, the engineering team will need to own up to why they didn’t push back.
s
spierce7
01/15/2022, 1:31 AMTo start with, the developer docs do not recommend pinning for a very good reason as the SHA will eventually be replaced and you will render clients unusable.Assuming the root certificates change. As long as you pin against the whole chain, I haven’t had any issues for 6 years with 3 cert changes, as the public keys for the intermediate and root certificates haven’t changed at all
d
Daniel B Duval
01/15/2022, 1:54 AMThat part depends on your organization. For example, we've switched CA a few times (even outside of Symantec to DigiCer)t. Our security team would prioritize being able to switch to new keys.
At the end of the day, it's not a hard yes/no answer, just that the Android engineering team should have the say in it as they will have to be responsible for either side of pinning.
f
FunkyMuse
01/15/2022, 2:22 PMI hope this answers your question
https://funkymuse.dev/posts/android_anti_tampering/
14 Views