AdguardForAndroid icon indicating copy to clipboard operation
AdguardForAndroid copied to clipboard
verified publisher icon AdguardTeam

Introduce an option for rooted device to turn off SSL pinning

Open ameshkov opened this issue 9 years ago • 8 comments

Some popular apps like Facebook, Twitter and such do not allow HTTPS filtering. For rooted devices we can turn this feature off.

More information here: http://blog.dewhurstsecurity.com/2015/11/10/mobile-security-certificate-pining.html

A few more articles: https://serializethoughts.com/2016/08/18/bypassing-ssl-pinning-in-android-applications/ https://serializethoughts.com/2016/09/10/905/

Relevant libraries: https://github.com/iSECPartners/Android-SSL-TrustKiller https://github.com/iSECPartners/android-ssl-bypass https://github.com/ac-pm/SSLUnpinning_Xposed https://github.com/ac-pm/SSLUnpinning_Cydia https://github.com/Fuzion24/JustTrustMe/pull/12/files

http://repo.xposed.info/module/mobi.acpm.sslunpinning

ameshkov avatar Apr 19 '16 16:04 ameshkov

If you all subvert the pinning, will AG verify the website cert from that pinning on its own? There's an actual reason for cert pinning!

TPS avatar Apr 21 '16 03:04 TPS

@TPS They all use valid certificates and we check validation. I don't see any problem here. And again - we give an opportunity to the user, he may use it for 1-2 apps that he chooses.

Revertron avatar Apr 21 '16 05:04 Revertron

The sites & apps that use pinning don't trust validation only, so implementing pinning verification in AG might be smart before doing the #21 MITM. I agree it's on the user, but looks to have potential to cause a real-world problem in exchange for convenience.

TPS avatar Apr 21 '16 14:04 TPS

If you all subvert the pinning, will AG verify the website cert from that pinning on its own? There's an actual reason for cert pinning!

In fact they use a different SSL pinning algorithm. The one you've linked is a relatively new RFC used by some websites like github. But there is one important note on this: browser ignores HPKP when local root certficiate is used, so it's not a problem for us.

What I am talking about is SSL pinning used inside some popular apps like Twitter and Facebook. They throw an error when root certificate is local.

ameshkov avatar Apr 22 '16 12:04 ameshkov

What I am talking about is SSL pinning used inside some popular apps like Twitter and Facebook. They throw an error when root certificate is local.

All I'm saying is they probably should, as they, for whatever reason, consider their apps high-value targets for malicious hacks, so, if you do subvert that pinning, you'd probably want to replace the functionality somehow to protect the users.

browser ignores HPKP when local root certficate is used

This is actually terrifying! 😨

TPS avatar Apr 22 '16 14:04 TPS

you'd probably want to replace the functionality somehow to protect the users.

We do verify remote certificate against your device root certs of course.

This is actually terrifying! 😨

Not at all, you can't get a local root certificate unexpectedly (unless you've got some malware with root access, which is why i prefer not to root).

ameshkov avatar Apr 22 '16 15:04 ameshkov

But this issue is solely for rooted devices, right? So the potential remains. Being careful is important! & cert pinning means just cert verification isn't purely trusted, no?

TPS avatar Apr 22 '16 15:04 TPS

Of course this thing could be a security flaw. That's why it is just an option:)

ameshkov avatar Apr 22 '16 15:04 ameshkov