moxie0 / androidpinning Goto Github PK

The implementation currently hard-codes three things that would be ideal to enable a way to provide alternate implementations based on differing needs to deviate from the default behavior in the library:

1. Hard-codes hashing of the public key (vs. entire certificate). Would be better to allow this to be configurable by inverting the dependencies and enabling injection of a different implementation (e.g. one that ). One reason for this would be if you wanted to achieve cross-platform parity in the definition of a PIN and how it's done. iOS doesn't make it easy in all cases to get the SubjectPublicKeyInfo, for example.
2. Hard-codes SHA1 hashing of the certificate information (SubjectPublicKeyInfo currently). Organizations will have varying standards for approved hashing algorithms so would be nice to make this configurable without having to fork and modify the code.
3. Requires comparing hashes of the certificate information. Would be nice if the certificate retrieval/hasher was a class that could be swapped out, e.g. if I wanted to avoid the hashing impact on every HTTPS request, I may want to compare raw bits rather than a hash (via a NullCertificateHasher implementation, for example). Then the comparison logic could compare what the class provides to the pins without caring what the bits are.

Wanted to see if there's interest in these changes as I may just make these tweaks if I get some spare time and provide them as I think they would be useful (if they're not already in the works).

A common omission in certificate pinning implementations and discussions seems to be coverage for WebView requests. Are there plans to provide a sample WebViewClient implementation that invokes the pinning code to make secure requests so developers will know how to do this securely?

If you don't have M2Crypto installed you can use the following openssl commands to generate the pin (on OS X OpenSSL 0.9.8y 5 Feb 2013):

openssl x509 -in certificate.cer -inform DER -outform DER -noout -pubkey | openssl rsa -pubin -outform DER | openssl sha1 -hex

AndroidPinning relies on Apache framework: https://github.com/moxie0/AndroidPinning/blob/master/src/org/thoughtcrime/ssl/pinning/util/PinningHelper.java#L58-L62

Which got deprecated in API 22 (Android 5.1): https://developer.android.com/about/versions/android-5.1.html#http http://developer.android.com/reference/org/apache/http/params/HttpParams.html

This makes org.thoughtcrime.ssl.pinning.util.PinningHelper.getPinnedHttpClient() deprecated.

My code uses getPinnedHttpsUrlConnection to create url connections to my server. After it's done reading a response, it closes the UrlConnection. The UrlConnection documentation says that it will not free the socket that it opens, and in fact that is what I see - if I do 'adb -e shell ls -l /proc/[processid]/fd | grep socket' shows a new socket opened (I'm assuming it's in CLOSED_WAIT state). This isn't a problem yet. However, each time that I call getPinnedHttpsUrlConnection, a new socket is opened and left in this state. Eventually, after calling getPinnedHttpsUrlConnection enough times, the android system reaps my process for having too many open file descriptors.

I suspect the issue here is that we are creating a new SSLSocketFactory for each call to getPinnedHttpsUrlConnection. In fact, I verify that caching the SSLSocketFactory keeps the number of sockets open to a constant.

I suggest modifying the PinningHelper class in the following way:

public PinningHelper {
  private final static Map<List<String>,SSLSocketFactory> sSSLSocketFactories = new HashMap<List<String>, SSLSocketFactory>();
...stuff...
  public static HttpsURLConnection getPinnedHttpsURLConnection(Context context, String[] pins, URL url)
      throws IOException
  {
    if (!url.getProtocol().equals("https")) {
      throw new IllegalArgumentException("Attempt to construct pinned non-https connection!");
    }

    SSLSocketFactory pinnedSslSocketFactory = getPinnedSslSocketFactory(context, pins, 0);

    HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection();
    urlConnection.setSSLSocketFactory(pinnedSslSocketFactory);

    return urlConnection;
  }

  public static SSLSocketFactory getPinnedSslSocketFactory(Context context, String[] pins, long enforceUntilTimestampMillis) {
    List<String> pinsList = Arrays.asList(pins);
    synchronized(sSSLSocketFactories) {
      if (!sSSLSocketFactories.containsKey(pinsList)) {
        sSSLSocketFactories.put(pinsList, createPinnedSslSocketFactory(context, pins, 0));
      }
      return sSSLSocketFactories.get(pinsList);
    }
  }

  private static SSLSocketFactory createPinnedSslSocketFactory(Context context, String[] pins, long enforceUntilTimestampMillis) {
    TrustManager[] trustManagers = new TrustManager[1];
    trustManagers[0]             = new PinningTrustManager(SystemKeyStore.getInstance(context), pins, enforceUntilTimestampMillis);

    try {
      SSLContext sslContext = SSLContext.getInstance("TLS");
      sslContext.init(null, trustManagers, null);

      return sslContext.getSocketFactory();
    } catch (NoSuchAlgorithmException nsae) {
      throw new AssertionError(nsae);
    } catch (KeyManagementException e) {
      throw new AssertionError(e);
    }
  }
}

https://github.com/moxie0/AndroidPinning/blob/master/src/org/thoughtcrime/ssl/pinning/PinningTrustManager.java#L176

The chain you get is the chain given by the peer = web server.
It can contain any number of certificates that have nothing to do with the trust chain created internally by checkSystemTrust().

CertificateChainCleaner.java tries to fix that but it does not validate any signatures.
So adding invalid certificates can create a second trust chain to circumvent the pinning.

checkPinTrust() returns true if the parameter contains any certificate that matches the pin.
By attaching any trusted, correctly pinned certificate to the TLS-response the entire pinning can be circumvented.

See
https://www.cigital.com/blog/ineffective-certificate-pinning-implementations/
for a more detailed explanation of your security flaw.

One of the goals of the certificate chain cleaner is to ensure there's at least one trust anchor in the cleaned chain, so I'm wondering at the order of checks at

Would it be better to put the isTrustRoot(chain[i]) check inside the if (isValidLink(chain[i], chain[i - 1])) block, rather than before it? Otherwise, it seems like trustedChain could be set to true without a verified trust anchor in the chain.

Apologies if this is a non-issue, because I have a feeling there's probably something I've overlooked 😄 and thanks for the library!

Allow the caller to specify which domain(s?) a pin should apply to. This would allow pinning to be set process-wide using HttpsURLConnection.setDefaultSSLSocketFactory() so that all HttpsURLConnections made by the app, including third-party libraries, could be pinned at the caller's request.

I'm trying to use the pin.py to generate the SHA-2 certificate hashes with no success..

I've changed the line 39 to
digest = hashlib.sha256()
but with no success.

Any idea?

https://gist.github.com/elevenfive/c5cab352ca368bba3087

Take a look! I confirmed this breaks on < 16. It doesn't break for all URLs. For example, Paypal's site doesn't expose the issue for some reason.

Important details:
#1: The first test that runs creates a pinned connection which succeeds. The second test then tries to make another connection without pins. That 2nd test should not be able to make the connection but for some reason can.
#2: You must attempt to use the stream returned during the test. This happens with the lines:

InputStreamReader isr = new InputStreamReader(respStream);
String respString = readFully(isr);

Any ideas?

I imported the project in android application. I get the following error in the build.gradle:

Error:(54, 0) No such property: sonatypeRepo for class:
org.gradle.api.publication.maven.internal.ant.DefaultGroovyMavenDeployer

I was playing around with trying to add this as a library project to a gradle based Android app I'm making and was running into some errors. I eventually stumbled upon this line: https://github.com/moxie0/AndroidPinning/blob/master/build.gradle#L27

Changing the name of the source set 'aild' to 'aidl' made some of my problems go away, but is that custom source set location necessary? I don't see any use of aidl in the app. Same with renderscript and assets.

Noticed that this is a library but the published license is GPL vs. LGPL. But that makes it unusable in commercial software or even many/most free mobile apps because GPL mandates the entire application be GPL in order to use GPL libraries. https://www.gnu.org/licenses/gpl-faq.html#IfLibraryIsGPL

Any possibility to change the license to LGPL to ensure contributions to the code remain public and free, but that the implementation can be used broadly?

I am trying to do cert pinning for SHA2 cert on my server. My app stopped working as the server got upgraded with SHA2 and I am trying to use this library but keeps getting SSL javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)

Any idea?

Hi my friend,

I'm currently working on Android projects and I think AndroidPinning is a good fit for my situation.

However the current license (GPLv3) prevents me to use AndroidPinning on anything, but only on fully opensource + GPL'd Android apps. Would it be possible to change AndroidPinning's license to a lesser restrictive one like BSD, MIT, ALv2, EPL…?

Is there some way i can add SSL pinning support to volley(http://developer.android.com/training/volley/index.html).

Noticed there is code to read certificates from raw folder.
Is the file a single bks file with multiple aliases?
Any chance for an example of how to use?

My name is Davy Yue, and I am the Founder + CEO of LifeEverlasting, an innovative technology enabling a user to interact with anyone from history. See our pitch slide deck below, and note the one-minute promotional video on the second slide:
​
https://docs.google.com/presentation/d/1OMQ7LMTXqql0Jy1pdslMyeANcjQWcaTch-0zHBjVFzc/edit?usp=sharing
​
My team and I at LifeEverlasting are currently looking for seed & angel investors, as well as venture capitalists to fund our development process as we push for the first-ever beta release date May 18th, 2018 at 3:00 pm CST as well as the second beta date in the slide deck. We are also looking to work with security professionals, since a significant amount of data would be collected to fuel the neural network and machine-learning process.

I would love to schedule a video or phone call with you to discuss further your possible involvement in LifeEverlasting, an innovative startup breaking new ground in helping establish people's long-living legacy after their physical passing.

Please let me know what you think. Looking forward to talking soon!

Best,

Davy Yue

It seems that Android 4.0.3 uses a different system trust store. As a result, code that works on 2.x fails on 4.0.

root@android:/ # ls /system/etc/security
cacerts
otacerts.zip

root@android:/ # ls /system/etc/security/cacerts
00673b5b.0
03e16f6c.0
08aef7bb.0
...

02-15 13:31:54.437: E/AndroidRuntime(824): java.lang.AssertionError: java.io.FileNotFoundException: /system/etc/security/cacerts.bks: open failed: ENOENT (No such file or directory)
02-15 13:31:54.437: E/AndroidRuntime(824): at org.thoughtcrime.ssl.pinning.PinningTrustManager$SystemKeyStore.getTrustStore(PinningTrustManager.java:246)
02-15 13:31:54.437: E/AndroidRuntime(824): at org.thoughtcrime.ssl.pinning.PinningTrustManager$SystemKeyStore.getPkixParameters(PinningTrustManager.java:209)
02-15 13:31:54.437: E/AndroidRuntime(824): at org.thoughtcrime.ssl.pinning.PinningTrustManager$SystemKeyStore.(PinningTrustManager.java:185)
02-15 13:31:54.437: E/AndroidRuntime(824): at org.thoughtcrime.ssl.pinning.PinningTrustManager.(PinningTrustManager.java:102)
...

The readme sample using google pins doesn't validate for me. Looking through stackoverflow I found the following shell script which uses openssl to obtain the certificate of a server:

#!/bin/sh
# Based on http://blog.crazybob.org/2010/02/android-trusting-ssl-certificates.html

SERVER=www.google.com:443
echo | openssl s_client -connect ${SERVER} 2>&1 | \
     sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.pem &&
     cat mycert.pem &&
     echo "Generated pem file"

Running this generates a file which used with the pin.py tool outputs:

Calculating PIN for certificate: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
Pin Value: 6a42217ac7419912ff661867525e5a059a526325

However when I paste the pin value into the readme HttpsURLConnection sample I get an exception javax.net.ssl.SSLHandshakeException: No valid pins found in chain!. Which seems to indicate I'm not getting correctly the certificate. How should I retrieve the cert from google and other public websites?