You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The chain you get is the chain given by the peer = web server.
It can contain any number of certificates that have nothing to do with the trust chain created internally by checkSystemTrust().
CertificateChainCleaner.java tries to fix that but it does not validate any signatures.
So adding invalid certificates can create a second trust chain to circumvent the pinning.
checkPinTrust() returns true if the parameter contains any certificate that matches the pin.
By attaching any trusted, correctly pinned certificate to the TLS-response the entire pinning can be circumvented.
https://github.com/moxie0/AndroidPinning/blob/master/src/org/thoughtcrime/ssl/pinning/PinningTrustManager.java#L176
The chain you get is the chain given by the peer = web server.
It can contain any number of certificates that have nothing to do with the trust chain created internally by checkSystemTrust().
CertificateChainCleaner.java tries to fix that but it does not validate any signatures.
So adding invalid certificates can create a second trust chain to circumvent the pinning.
checkPinTrust() returns true if the parameter contains any certificate that matches the pin.
By attaching any trusted, correctly pinned certificate to the TLS-response the entire pinning can be circumvented.
See
https://www.cigital.com/blog/ineffective-certificate-pinning-implementations/
for a more detailed explanation of your security flaw.
The text was updated successfully, but these errors were encountered: