Finding Description

The app doesn't implement certificate pinning as a hardening measure for some domains.

Certificate pinning (AKA public key pinning) is a hardening measure on top of the standard TLS certificate validation. Certificate pinning is typically used by high-risk apps. According to their threat model, high risk apps need to protect against Man-in-the-middle (MITM) attacks in scenarios where a Certificate Authority (CA) could be compromised or any malicious certificates were installed to the user's device either by accident or a targeted social engineering attack.

Instead of trusting all CAs installed to the system certificate store, an app can use certificate pinning to restrict the set of certificates they trust. All other connections will be terminated immediately.

Evaluation Criteria:

The Evidence Table presents an overview of all detected connection domains.

• Domain Name: detected domain name
• Pinned?: indicates whether the domain was pinned
• Pinning Implementation: implementation used to pin the domain
• Runtime Attempt: indicates any pinning attempts to this domain during the current execution of the app

Carefully inspect all domains from the evidence table that display false in the "Pinned?" column. If the domains are under your control and your app is supposed to pin them (e.g., they handle high-risk user sensitive data) this can be considered a vulnerability for those domains. The provided recommendation must be followed.

Disclaimer: This test cannot detect all possible implementations for pinning. If your app is pinning some of the reported domains, you can safely ignore the finding for that domain. However, we highly recommend to avoid custom pinning implementations and follow the platform recommendations for pinning, which in the case of Android is to use the Network Security Configuration.

Remediation Resources

Recommended fix

Certificate pinning should be used exclusively as a hardening measure for high-risk apps. If your app requires certificate pinning (e.g., compliance with the OWASP MASVS or other standards or regulations), there are a few important considerations:

• Pin only endpoints under your control. Also, be sure to include backup keys (AKA backup pins) and have a proper app update strategy. If these measures are not ensured, your app may stop functioning the next time the certificate is replaced. Rectifying this would require you to deploy an update via the Play Store, which could result in extended downtime for your users.
• Google's recommended approach is to include your pin set in the Network Security Configuration.
• Instead of pinning a certificate, pin the public key- more specifically the SubjectPublicKeyInfo- of the certificate, which typically stays the same even if the certificate is updated.

Refer to the Additional Guidance section below to learn more.

Additional

• Restricting Trust [Identity Pinning](Identity Pinning)
• Pin Certificates in the Network Security Configuration https://developer.android.com/training/articles/security-config#CertificatePinning
• OWASP Pinning Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html

Evidence

Displaying 20 of 34 rows. See more in the NowSecure Report

Business Impact

Failing to implement certificate pinning can expose the app to decryption of network communications via Man-in-the-Middle attacks by a compromised Certificate Authority or user device.

Risk and Regulatory Information

• Severity: info

• ioXt: SI113

• Risk OWASP: MSTG-NETWORK-4 (OWASP MASVS v1.5.0), MASVS-NETWORK-2 (OWASP MASVS v2.0.0)

Application

• Platform: android
• Package: com.fsck.k9.debug

See more detail in the NowSecure Report

NowSecure finding identifier: Do not delete. nowsecure_unique_id=bf178e1caa101d2f9270594fe995da1038e3749496b684f3c3f3e8a1d0c0358b