Certificate pinning 101

Transcript

1. C C L L Xavier Rubio Jansana  @teknik_tdr 

   https://xrubio.com  https://github.com/xrubioj/

2. S S What? Why? How SSL/TLS works MiTM Attacks Certificate

   pinning 101 Security considerations

3. W ? W ? Network security technique

4. W ? W ? Avoid MiTM attacks

5. I I Stealing app secrets Stealing user secrets Subverting communication

   (e.g. change delivery address)

6. H SSL/TLS H SSL/TLS

7. HTTPS C HTTPS C

8. C C

9. C C

10. C S C S Subject Public Key Info

11. C C

12. C C

13. Settings → Security → Trusted certificates System vs User R

    CA R CA

14. M TM A M TM A Root CA injection CA

    insuficient validation → rogue certificate Self-signed certificates → validation disabled

15. C C

16. O H O H Exception: val hostname = "*.google.com" val

    certificatePinner = CertificatePinner.Builder() .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .build() val client = OkHttpClient.Builder() .certificatePinner(certificatePinner) .build() AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure! Peer certificate chain: sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com, OU=PositiveSSL sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root Pinned certificates for publicobject.com: sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= at okhttp3.CertificatePinner.check(CertificatePinner.java) at okhttp3.Connection.upgradeToTls(Connection.java) at okhttp3.Connection.connect(Connection.java) at okhttp3.Connection.connectAndSetOwner(Connection.java) afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=

17. A N A N AndroidManifest.xml: <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config>

    <domain includeSubdomains="true">appmattus.com</domain> <pin-set> <pin digest="SHA-256">4hw5tz+scE+TW+mlai5YipDfFWn1dqvfLG+nU7tq1V8=</pin> <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin> </pin-set> </domain-config> </network-security-config> <?xml version="1.0" encoding="utf-8"?> <manifest> <application android:networkSecurityConfig="@xml/network_security_config"> <!-- ... --> </application> </manifest> android:networkSecurityConfig="@xml/network_security_config"

18. B B CWAC-NetSecurity With some manual work... https://github.com/commonsguy/cwac-netsecurity "Allows the

    same XML configuration to be used, going back to API Level 17 (Android 4.2)"

19. H H Hard failure So failure

20. S S Hardcoded pins Accept on first access Get pins

    from server → inception!

21. S S ⚠ Hide your secrets! See "Android security basics"

    talk by Krzysztof Kocel https://www.meetup.com/Barcelona-Android- Developer-Group/events/244107028/

22. R R "Android Security: SSL Pinning" by Matthew Dolan Network

    Security Configuration "CWAC-NetSecurity: Simplifying Secure Internet Access" by CommonsWare CertificatePinner class OkHttp documentation https://medium.com/@appmattus/android-security-ssl-pinning- 1db8acb6621e https://developer.android.com/training/articles/security-config.htm https://github.com/commonsguy/cwac-netsecurity https://square.github.io/okhttp/3.x/okhttp/okhttp3/CertificatePinne

23. Q ? Q ?

24. T ! T ! Xavier Rubio Jansana This talk is

    available at:  @teknik_tdr  https://xrubio.com  https://github.com/xrubioj/ https://xrubio.com/talks/talk-lightning-certificate-pinning/