Merge branch 'master' of github.com:OWASP/owasp-mstg

Document/0x04a-Mobile-App-Taxonomy.md

@@ -48,7 +48,7 @@ Progressive Web Apps (PWA) load like regular web pages, but differ from usual we
 
 PWAs combine different open standards of the web offered by modern browsers to provide benefits of a rich mobile experience. A Web App Manifest, which is a simple JSON file, can be used to configure the behaviour of the app after "installation".
 
-PWAs are supported by Android and iOS, but not all hardware features are yet available. For example on Push Notifications, Face ID on iPhone X or ARKit for augmented reality is not available yet on iOS. An overview of PWA and supported features on each platform can be found in a [Medium article from Maximiliano Firtman](https://medium.com/@firt/progressive-web-apps-on-ios-are-here-d00430dee3a7 "Progressive Web Apps on iOS are here").
+PWAs are supported by Android and iOS, but not all hardware features are yet available. For example Push Notifications, Face ID on iPhone X or ARKit for augmented reality is not available yet on iOS. An overview of PWA and supported features on each platform can be found in a [Medium article from Maximiliano Firtman](https://medium.com/@firt/progressive-web-apps-on-ios-are-here-d00430dee3a7 "Progressive Web Apps on iOS are here").
 
 ### What's Covered in the Mobile Testing Guide?
 

Document/0x05g-Testing-Network-Communication.md

@@ -145,7 +145,7 @@ The Network Security Configuration feature can also be used to pin [declarative
     <domain-config>
         <!-- Use certificate pinning for OWASP website access including sub domains -->
         <domain includeSubdomains="true">owasp.org</domain>
-        <pin-set>
+        <pin-set expiration="2018/8/10">
             <!-- Hash of the public key (SubjectPublicKeyInfo of the X.509 certificate) of
             the Intermediate CA of the OWASP website server certificate -->
             <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin>
@@ -239,6 +239,51 @@ myWebView.setWebViewClient(new WebViewClient(){
 });
 ```
 
+##### Xamarin Applications
+
+Applications developed in Xamarin will typically use ServicePointManager to implement pinning.
+
+Normally a function is created to check the certificate(s) and return the boolean value to the method ServerCertificateValidationCallback:
+
+```c#
+[Activity(Label = "XamarinPinning", MainLauncher = true)]
+    public class MainActivity : Activity
+    {
+        // SupportedPublicKey - Hexadecimal value of the public key.
+        // Use GetPublicKeyString() method to determine the public key of the certificate we want to pin. Uncomment the debug code in the ValidateServerCertificate function a first time to determine the value to pin. 
+        private const string SupportedPublicKey = "3082010A02820101009CD30CF05AE52E47B7725D3783B3686330EAD735261925E1BDBE35F170922FB7B84B4105ABA99E350858ECB12AC468870BA3E375E4E6F3A76271BA7981601FD7919A9FF3D0786771C8690E9591CFFEE699E9603C48CC7ECA4D7712249D471B5AEBB9EC1E37001C9CAC7BA705EACE4AEBBD41E53698B9CBFD6D3C9668DF232A42900C867467C87FA59AB8526114133F65E98287CBDBFA0E56F68689F3853F9786AFB0DC1AEF6B0D95167DC42BA065B299043675806BAC4AF31B9049782FA2964F2A20252904C674C0D031CD8F31389516BAA833B843F1B11FC3307FA27931133D2D36F8E3FCF2336AB93931C5AFC48D0D1D641633AAFA8429B6D40BC0D87DC3930203010001";
+
+        private static bool ValidateServerCertificate(
+                object sender,
+                X509Certificate certificate,
+                X509Chain chain,
+                SslPolicyErrors sslPolicyErrors
+            )
+        {
+            //Log.Debug("Xamarin Pinning",chain.ChainElements[X].Certificate.GetPublicKeyString());
+            //return true;
+            return SupportedPublicKey == chain.ChainElements[1].Certificate.GetPublicKeyString();
+        }
+
+        protected override void OnCreate(Bundle savedInstanceState)
+        {
+            System.Net.ServicePointManager.ServerCertificateValidationCallback += ValidateServerCertificate;
+            base.OnCreate(savedInstanceState);
+            SetContentView(Resource.Layout.Main);
+            TesteAsync("https://security.claudio.pt");
+
+        }
+```
+
+In this particular example we are pinning the intermediate CA of the certificate chain. The output of the HTTP response will be available in the system logs.
+
+Sample Xamarin app with the previous example can be obtained at https://github.com/owasp-mstg/blob/master/Samples/Android/02_CertificatePinning/certificatePinningXamarin.apk?raw=true
+
+#### Static Analysis
+
+After decompressing the APK file, use a .NET decompiler like dotPeak,ILSpy or dnSpy to decompile the app dlls stored inside the 'Assemblies' folder and confirm the usage of the ServicePointManager.
+
+
 For further information, please check the [OWASP certificate pinning guide](https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#Android "OWASP Certificate Pinning for Android").
 
 #### Dynamic Analysis
@@ -250,10 +295,16 @@ Dynamic analysis can be performed by launching a MITM attack with your preferred
 #### Overview
 Network Security Configuration was introducted on Android 7 and lets apps customize their network security settings such as custom trust anchors and Certificate pinning.
 
-When apps target API Levels 24+ and are running on an Android device with versions 7+, they used a default Network Security Configuration that doest not trust user supplied CA's, reducing the possibility of MiTM attacks by luring users to install malicious CA's.
+##### Trust Anchors
+
+When apps target API Levels 24+ and are running on an Android device with versions 7+, they use a default Network Security Configuration that doest not trust user supplied CA's, reducing the possibility of MiTM attacks by luring users to install malicious CA's.
 
 This protection can be bypassed by using a custom Network Security Configuration with a custom trust anchor indicating that the app will trust user supplied CA's.
 
+##### Pin-set Expiration Date
+
+Pin-set contain a set of public key pins. Each set can define a expiration date. When the expiration date is reached, the network communication will continue to work, but the Certificate Pinning will be disabled for the affected domains.
+
 #### Static Analysis
 
 The Network Security Configuration should be analysed to determine what settings are configured. The file is located inside the apk in the /res/xml/ folder with the name network_security_config.xml.
@@ -270,11 +321,19 @@ If there are custom <trust-anchors> present in a <base-config> or <domain-config
         </trust-anchors>
     </base-config>
     <domain-config>
-        <domain includeSubdomains="true">owasp.org</domain>
+        <domain includeSubdomains="false">owasp.org</domain>
         <trust-anchors>
             <certificates src="system"/>
             <certificates src="user"/>
         </trust-anchors>
+        <pin-set expiration="2018/8/10">
+            <!-- Hash of the public key (SubjectPublicKeyInfo of the X.509 certificate) of
+            the Intermediate CA of the OWASP website server certificate -->
+            <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin>
+            <!-- Hash of the public key (SubjectPublicKeyInfo of the X.509 certificate) of
+            the Root CA of the OWASP website server certificate -->
+            <pin digest="SHA-256">Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=</pin>
+        </pin-set>
     </domain-config>
 </network-security-config>
 ```
@@ -512,3 +571,8 @@ When you do not have the source code:
 ##### Android Developer Documentation
 
 - Network Security Config - https://developer.android.com/training/articles/security-config
+
+##### Xamarin Certificate Pinning
+
+- Certificate and Public Key Pinning with Xamarin - https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin
+- ServicePointManager - https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager(v=vs.110).aspx

Samples/Android/02_CertificatePinning/readme.md

@@ -0,0 +1 @@
+Samples APKs for Certificate Pinning implementations.