AndroidPinning icon indicating copy to clipboard operation
AndroidPinning copied to clipboard
verified publisher icon moxie0

insecure pinning

Open MarcusWolschon opened this issue 9 years ago • 0 comments

https://github.com/moxie0/AndroidPinning/blob/master/src/org/thoughtcrime/ssl/pinning/PinningTrustManager.java#L176

The chain you get is the chain given by the peer = web server. It can contain any number of certificates that have nothing to do with the trust chain created internally by checkSystemTrust().

CertificateChainCleaner.java tries to fix that but it does not validate any signatures. So adding invalid certificates can create a second trust chain to circumvent the pinning.

checkPinTrust() returns true if the parameter contains any certificate that matches the pin. By attaching any trusted, correctly pinned certificate to the TLS-response the entire pinning can be circumvented.

See https://www.cigital.com/blog/ineffective-certificate-pinning-implementations/ for a more detailed explanation of your security flaw.

MarcusWolschon avatar Feb 14 '17 09:02 MarcusWolschon