MSTG-NETWORK-1-4 Fix Network Security Testing on Android and iOS (by @NowSecure) #2042
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
cpholguera
commented
Jan 25, 2022
cpholguera
commented
- Both Android and iOS cover now MSTG-NETWORK-1, MSTG-NETWORK-2, MSTG-NETWORK-3, MSTG-NETWORK-4
- Some Tests were split to cover only one MASVS requirement.
- NEW: MSTG-NETWORK-1 on both Android and iOS!
- Fix Network Testing chapters structure and cohesion.
- Fix all network cross-chapter references and corrected some content location.
TheDauntless
approved these changes
Jan 26, 2022
|
|
||
| When running on Android 7.0 (API level 24) or higher, apps targeting those API levels will use a default Network Security Configuration that doesn't trust any user supplied CAs, reducing the possibility of MITM attacks by luring users to install malicious CAs. However, this protection can be bypassed by using a custom Network Security Configuration with a custom trust anchor indicating that the app will trust user supplied CAs. | ||
|
|
||
| Use a decompiler (e.g. jadx or apktool) to confirm the target SDK version. After decoding the app you can look for the presence of `targetSDK` present in the file apktool.yml that was created in the output folder. |
There was a problem hiding this comment.
Suggested change
| Use a decompiler (e.g. jadx or apktool) to confirm the target SDK version. After decoding the app you can look for the presence of `targetSDK` present in the file apktool.yml that was created in the output folder. | |
| Use a decompiler (e.g. jadx or apktool) to confirm the target SDK version. After decoding the app you can look for the presence of `targetSDK` in the file apktool.yml that was created in the output folder. |
There was a problem hiding this comment.
apktool technically is a disassembler though, not a decompiler.
There was a problem hiding this comment.
This was one block I simply moved around I didn't see that so thanks for telling! We have to change it. I assume it just want to say: unpack and check that value in the android manifest.
This is one of many cases where having a "Techniques" chapter we can refer back to will come handy. This way we don't have to explain that you need to unzip the APK, decode the Android Manifest..but you can achieve the same by ...blah blah We'd simply have "Checking a value from the Android Manifest" including all alternatives. And here we'd just say:
["Check that the value minsdk is ... in the Android Manifest"](linktotechniques#checking-a-value...).
There was a problem hiding this comment.
Definitely agree! In general, there are multiple locations where a link would be better than saying the same thing over and over again (e.g. Burp / ZAP)
|
I obviously meant to click 'Request changes' rather than 'Approve' :/ |
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
…int Identify Verification; fix Certificate Pinning in the Network Security Configuration
…ns in Android Developers;
…inning to 0x04f and bypass pinning to 0x05b
cpholguera
changed the title
TheDauntless
requested review from
TheDauntless
and removed request for
TheDauntless
TheDauntless
requested changes
Jul 8, 2022
|
|
||
| When running on Android 7.0 (API level 24) or higher, apps targeting those API levels will use a default Network Security Configuration that doesn't trust any user supplied CAs, reducing the possibility of MITM attacks by luring users to install malicious CAs. However, this protection can be bypassed by using a custom Network Security Configuration with a custom trust anchor indicating that the app will trust user supplied CAs. | ||
|
|
||
| Use a decompiler (e.g. jadx or apktool) to confirm the target SDK version. After decoding the app you can look for the presence of `targetSDK` present in the file apktool.yml that was created in the output folder. |
There was a problem hiding this comment.
Definitely agree! In general, there are multiple locations where a link would be better than saying the same thing over and over again (e.g. Burp / ZAP)
|
|
||
| For more information on this topic please consult the [blog post by NowSecure on ATS](https://www.nowsecure.com/blog/2017/08/31/security-analysts-guide-nsapptransportsecurity-nsallowsarbitraryloads-app-transport-security-ats-exceptions/ "A guide to ATS"). | ||
| > **Apple Recommendation: Configure Exceptions Only When Needed; Prefer Server Fixes**: It’s always better to fix the server when faced with an ATS failure. Exceptions reduce the security of your app. Some also require justification when submitting an app to the App Store, as described in the next section. |
cpholguera
commented
Jul 8, 2022
Co-authored-by: Jeroen Beckers <info@dauntless.be>
cpholguera
commented
Jul 8, 2022
cpholguera
commented
Jul 8, 2022
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
Co-authored-by: Jeroen Beckers <info@dauntless.be>
TheDauntless
approved these changes
Jul 12, 2022
cpholguera
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.