diff --git a/Document/0x05g-Testing-Network-Communication.md b/Document/0x05g-Testing-Network-Communication.md index 78044a0a81..6d839d8dc4 100644 --- a/Document/0x05g-Testing-Network-Communication.md +++ b/Document/0x05g-Testing-Network-Communication.md @@ -90,7 +90,7 @@ The default configuration for apps targeting Android 6.0 (API level 23) and lowe ### Certificate Pinning -Certificate pinning is a critical security mechanism employed in Android applications to safeguard against man-in-the-middle (MITM) attacks by ensuring that the app communicates exclusively with servers possessing predefined cryptographic credentials. +[Certificate pinning](0x04f-Testing-Network-Communication.md/#restricting-trust-identity-pinning) can be employed in Android apps to safeguard against Machine-in-the-Middle (MITM) attacks by ensuring that the app communicates exclusively with remote endpoints possessing specific identities. While effective when implemented correctly, insecure implementations potentially enable attackers to read and modify all communication. For more general details on pinning, refer to @MASWE-0047. diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0241.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0241.md index 99d4f0eff7..78bd5cc0a1 100644 --- a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0241.md +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0241.md @@ -1,5 +1,5 @@ --- -title: Expired Certificate Pins +title: Expired Certificate Pins in the Network Security Configuration platform: android id: MASTG-TEST-0241 type: [static] @@ -8,7 +8,11 @@ weakness: MASWE-0047 ## Overview -Apps can configure expiration dates for pinned certificates in the [Network Security Configuration]("../../../Document/0x05g-Testing-Network-Communication.md#certificate-pinning"). After the expiration date, the pin is no longer used and all installed CAs for that domain are trusted. +Apps can configure expiration dates for pinned certificates in the [Network Security Configuration (NSC)]("../../../Document/0x05g-Testing-Network-Communication.md#certificate-pinning") by using the `expiration` attribute. When a pin expires, the app no longer enforces certificate pinning and instead relies on its configured trust anchors. This means the connection will still succeed if the server presents a valid certificate from a trusted CA (such as a system CA or a custom CA defined in the app's configuration). However, if no trusted certificate is available, the connection will fail. + +If developers assume pinning is still in effect but don't realize it has expired, the app may start trusting CAs it was never intended to. + +> Example: A financial app previously pinned to its own private CA but, after expiration, starts trusting publicly trusted CAs, increasing the risk of compromise if a CA is breached. The goal of this test is to check if any expiration date is in the past. diff --git a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0242.md b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0242.md index 8b2a88815c..11146f316e 100644 --- a/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0242.md +++ b/tests-beta/android/MASVS-NETWORK/MASTG-TEST-0242.md @@ -2,17 +2,17 @@ title: Missing Certificate Pinning in Network Traffic platform: network id: MASTG-TEST-0x242 -type: [static] +type: [network] weakness: MASWE-0047 --- ## Overview -There are various ways how certificate pinning can be done for an application. +There are multiple ways an application can implement certificate pinning, including via the Android Network Security Config, custom TrustManager implementations, third-party libraries, and native code. Since some implementations might be difficult to identify through static analysis, especially when obfuscation or dynamic code loading is involved, this test uses network interception techniques to determine if certificate pinning is enforced at runtime. -Since statically finding all of the locations where certificate pinning is performed might not be feasible, this test case uses dynamic analysis to observe all connections the app makes. +The goal of this test case is to observe whether a [MITM attack]("../../../Document/0x04f-Testing-Network-Communication.md#mitm-attack) can intercept HTTPS traffic from the app. A successful MITM interception indicates that the app is either not using certificate pinning or implementing it incorrectly. -The goal of this test case is to dynamically check if the connection to a server can be intercepted using a [Man-in-the-Middle attack]("../../../Document/0x04f-Testing-Network-Communication.md#mitm-attack). If this is possible, it means that the certificate is not pinned correctly or not pinned at all. +If the app is properly implementing certificate pinning, MITM should fail because the app would reject certificates issued by an unauthorized CA, even if the CA is trusted by the system. ## Steps @@ -22,7 +22,7 @@ The goal of this test case is to dynamically check if the connection to a server ## Observation -The output should contain a list domains, for which the interception was successful. +The output should contain a list of domains for which the interception was successful. ## Evaluation