Merge pull request #969 from clviper/master

Add Xamarin Certificate Pinning Sample Code and APK
OWASP · Aug 14, 2018 · 91672e6 · 91672e6
2 parents f44051c + b7f5325
commit 91672e6
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 3 deletions.
diff --git a/Document/0x05g-Testing-Network-Communication.md b/Document/0x05g-Testing-Network-Communication.md
@@ -145,7 +145,7 @@ The Network Security Configuration feature can also be used to pin [declarative
     <domain-config>
         <!-- Use certificate pinning for OWASP website access including sub domains -->
         <domain includeSubdomains="true">owasp.org</domain>
-        <pin-set>
+        <pin-set expiration="2018/8/10">
             <!-- Hash of the public key (SubjectPublicKeyInfo of the X.509 certificate) of
             the Intermediate CA of the OWASP website server certificate -->
             <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin>
@@ -239,6 +239,51 @@ myWebView.setWebViewClient(new WebViewClient(){
 });
 ```
 
+##### Xamarin Applications
+
+Applications developed in Xamarin will typically use ServicePointManager to implement pinning.
+
+Normally a function is created to check the certificate(s) and return the boolean value to the method ServerCertificateValidationCallback:
+
+```c#
+[Activity(Label = "XamarinPinning", MainLauncher = true)]
+    public class MainActivity : Activity
+    {
+        // SupportedPublicKey - Hexadecimal value of the public key.
+        // Use GetPublicKeyString() method to determine the public key of the certificate we want to pin. Uncomment the debug code in the ValidateServerCertificate function a first time to determine the value to pin. 
+        private const string SupportedPublicKey = "3082010A02820101009CD30CF05AE52E47B7725D3783B3686330EAD735261925E1BDBE35F170922FB7B84B4105ABA99E350858ECB12AC468870BA3E375E4E6F3A76271BA7981601FD7919A9FF3D0786771C8690E9591CFFEE699E9603C48CC7ECA4D7712249D471B5AEBB9EC1E37001C9CAC7BA705EACE4AEBBD41E53698B9CBFD6D3C9668DF232A42900C867467C87FA59AB8526114133F65E98287CBDBFA0E56F68689F3853F9786AFB0DC1AEF6B0D95167DC42BA065B299043675806BAC4AF31B9049782FA2964F2A20252904C674C0D031CD8F31389516BAA833B843F1B11FC3307FA27931133D2D36F8E3FCF2336AB93931C5AFC48D0D1D641633AAFA8429B6D40BC0D87DC3930203010001";
+
+        private static bool ValidateServerCertificate(
+                object sender,
+                X509Certificate certificate,
+                X509Chain chain,
+                SslPolicyErrors sslPolicyErrors
+            )
+        {
+            //Log.Debug("Xamarin Pinning",chain.ChainElements[X].Certificate.GetPublicKeyString());
+            //return true;
+            return SupportedPublicKey == chain.ChainElements[1].Certificate.GetPublicKeyString();
+        }
+
+        protected override void OnCreate(Bundle savedInstanceState)
+        {
+            System.Net.ServicePointManager.ServerCertificateValidationCallback += ValidateServerCertificate;
+            base.OnCreate(savedInstanceState);
+            SetContentView(Resource.Layout.Main);
+            TesteAsync("https://security.claudio.pt");
+
+        }
+```
+
+In this particular example we are pinning the intermediate CA of the certificate chain. The output of the HTTP response will be available in the system logs.
+
+Sample Xamarin app with the previous example can be obtained at https://github.com/owasp-mstg/blob/master/Samples/Android/02_CertificatePinning/certificatePinningXamarin.apk?raw=true
+
+#### Static Analysis
+
+After decompressing the APK file, use a .NET decompiler like dotPeak,ILSpy or dnSpy to decompile the app dlls stored inside the 'Assemblies' folder and confirm the usage of the ServicePointManager.
+
+
 For further information, please check the [OWASP certificate pinning guide](https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#Android "OWASP Certificate Pinning for Android").
 
 #### Dynamic Analysis
@@ -250,10 +295,16 @@ Dynamic analysis can be performed by launching a MITM attack with your preferred
 #### Overview
 Network Security Configuration was introducted on Android 7 and lets apps customize their network security settings such as custom trust anchors and Certificate pinning.
 
-When apps target API Levels 24+ and are running on an Android device with versions 7+, they used a default Network Security Configuration that doest not trust user supplied CA's, reducing the possibility of MiTM attacks by luring users to install malicious CA's.
+##### Trust Anchors
+
+When apps target API Levels 24+ and are running on an Android device with versions 7+, they use a default Network Security Configuration that doest not trust user supplied CA's, reducing the possibility of MiTM attacks by luring users to install malicious CA's.
 
 This protection can be bypassed by using a custom Network Security Configuration with a custom trust anchor indicating that the app will trust user supplied CA's.
 
+##### Pin-set Expiration Date
+
+Pin-set contain a set of public key pins. Each set can define a expiration date. When the expiration date is reached, the network communication will continue to work, but the Certificate Pinning will be disabled for the affected domains.
+
 #### Static Analysis
 
 The Network Security Configuration should be analysed to determine what settings are configured. The file is located inside the apk in the /res/xml/ folder with the name network_security_config.xml.
@@ -270,11 +321,19 @@ If there are custom <trust-anchors> present in a <base-config> or <domain-config
         </trust-anchors>
     </base-config>
     <domain-config>
-        <domain includeSubdomains="true">owasp.org</domain>
+        <domain includeSubdomains="false">owasp.org</domain>
         <trust-anchors>
             <certificates src="system"/>
             <certificates src="user"/>
         </trust-anchors>
+        <pin-set expiration="2018/8/10">
+            <!-- Hash of the public key (SubjectPublicKeyInfo of the X.509 certificate) of
+            the Intermediate CA of the OWASP website server certificate -->
+            <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin>
+            <!-- Hash of the public key (SubjectPublicKeyInfo of the X.509 certificate) of
+            the Root CA of the OWASP website server certificate -->
+            <pin digest="SHA-256">Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=</pin>
+        </pin-set>
     </domain-config>
 </network-security-config>
 ```
@@ -512,3 +571,8 @@ When you do not have the source code:
 ##### Android Developer Documentation
 
 - Network Security Config - https://developer.android.com/training/articles/security-config
+
+##### Xamarin Certificate Pinning
+
+- Certificate and Public Key Pinning with Xamarin - https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin
+- ServicePointManager - https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager(v=vs.110).aspx
diff --git a/Samples/Android/02_CertificatePinning/certificatePinningXamarin.apk b/Samples/Android/02_CertificatePinning/certificatePinningXamarin.apk
diff --git a/Samples/Android/02_CertificatePinning/readme.md b/Samples/Android/02_CertificatePinning/readme.md
@@ -0,0 +1 @@
+Samples APKs for Certificate Pinning implementations.