When it comes to safeguarding our apps from potential man-in-the-middle attacks, one of the most common approaches that developers take is implementing SSL certificate pinning. By pinning the certificate against the public key, we can ensure that the app only communicates with a specific server and rejects any other server with a different certificate.
However, this method has its limitations. It only offers protection until the certificate expires, and every time the certificate gets renewed, we need to release a new version of the app. This can be a time-consuming process and may take some time for all users to update to the latest version.
This is where certificate transparency comes in as a solution. It's a mechanism that provides a public log of all certificates that have been issued by Certificate Authorities (CAs). With this, we can monitor and detect any fraudulent certificates issued for our domains, allowing us to take timely action to protect our users.
In Android, the Certificate Transparency policy is enforced for apps that target API level 28 or higher. By enabling this feature, we can ensure that our app only communicates with servers that have a valid and legitimate certificate, protecting our users' data from any potential threats.
What is Certificate Transparency?
Certificate Transparency is a security measure that aims to enhance the trustworthiness of SSL/TLS certificates, which are used to establish secure connections on the internet. This mechanism provides an open framework that allows SSL/TLS certificates to be monitored and audited in nearly real-time.
How Certificate Transparency works ?
Certificate Transparency is a system that relies on a network of publicly accessible log servers to provide cryptographic evidence when a certificate authority issues new SSL/TLS certificates for any domain. These log servers can be monitored to detect any suspicious certificates, and they can be audited to ensure that they are working as expected.
The three main goals of Certificate Transparency are to make it difficult to issue certificates without the domain owner's knowledge, to provide auditing and monitoring to detect any mis-issued certificates, and to protect users from such certificates.
When a certificate is submitted to a log server, the server responds with a signed certificate timestamp (SCT), which is a promise that the certificate will be added to the logs within 24 hours, which is the maximum merge delay. User agents, such as web browsers and mobile apps, use this SCT to verify the validity of a domain.
By implementing Certificate Transparency, we can detect SSL certificates that have been issued mistakenly by a Certificate Authority (CA) or acquired maliciously from an otherwise trustworthy CA. This means that if a CA mistakenly or maliciously issues a certificate for our domain, we will be able to detect it quickly and take appropriate action to prevent any damage.
sample public certificate log server : crt.sh | Certificate Search : you can enter your domain name and you will get all history about all your certificates.
Certificate Transparency on Android
we wanted something easy to integrate with standard networking libraries such as OkHttp, Retrofit, Volley. So we have used certificate transparency library : GitHub - appmattus/certificatetransparency: Certificate transparency for Android and JVM
OKHttp :
The library allows you to create a network interceptor for use with OkHttp where by default certificate transparency checks are run on all domains.
You can also specify which hosts to disable certificate transparency checks on through exclusions.
Retrofit :
With Retrofit built on top of OkHttp, configuring it for certificate transparency is as simple as setting up an OkHttpClient as shown in Using Certificate Transparency with OkHttp supplying that to your Retrofit.Builder.
Volley :
Overriding the HostnameVerifier can be achieved by overriding createConnection when creating the RequestQueue:
You can also specify which hosts to disable certificate transparency checks on through exclusions.
Testing :
Tools such as mitmproxy help with testing by allowing you to perform a man-in-the-middle proxy for HTTP and HTTPS connections. It provides an interactive console interface that allows network traffic to be intercepted, inspected, modified and replayed.
Start mitmproxy using the command below and install mitmproxy’s root cert by visiting http://mitm.it/ on your device.
Set proxy on device Wifi settings with mention port number and machine ip address.
run command on machine : This will launch new tab on browser where you can see all network intercepting calls.
mitmweb --set add_upstream_certs_to_client_chain=true -k -p <Port Number>
How to verify :
After successful applying proxy : app will stop working and will throw ssl handshake error on every network call.
Comentarios