cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shazron <shaz...@gmail.com>
Subject Re: Adding SSL Certificate Pinning to Cordova
Date Mon, 13 Jan 2014 21:30:03 GMT
Brian, from
http://security.stackexchange.com/questions/29988/what-is-certificate-pinning:
"Certificate Pinning is where you ignore the whole certificate signature
validation hierarchy thing, and say trust this certificate only or perhaps
trust only certificates signed by this certificate."

Like what Tommy said, this needs a hook on iOS into CDVURLProtocol (like
the whitelist), so using a plugin will not suffice.

A plugin can have their own NSURLProtocol, however as the docs say:
"When the URL loading system begins to load a request, each registered
protocol class is consulted in turn to see if it can be initialized with
the specified request. The first NSURLProtocol subclass to return YES when
sent a canInitWithRequest: message is used to perform the URL load. There
is no guarantee that all registered protocol classes will be consulted."

So... it's not reliable if multiple ones are registered. The other
alternative is to provide a (secure) hook into CDVUrlProtocol perhaps
declared through the config.xml (and the plugins are "loaded" by
CDVURLProtocol - not sure of the interfaces here yet) - so it is explicit
that there are hooks instead of through plugin code.

This general solution can provide more benefits -- perhaps there can be
plugins for encrypting/decrypting resources on the fly, etc.


On Mon, Jan 13, 2014 at 11:29 AM, Brian LeRoux <b@brian.io> wrote:

> So, sort of like CRSF tokens except the other way around. ???
>
> I might be misunderstanding but would it not be better to treat the server
> as trusted and the client generally as untrusted. Given there is no cross
> platform key stores the certs are effectively plaintext (but I could be
> misunderstanding the impl).
>
>
> On Sun, Jan 12, 2014 at 3:21 AM, Tommy-Carlos Williams
> <tommy@devgeeks.org>wrote:
>
> > TL;DR: I am proposing to add certificate pinning at least to iOS and
> > Android, and help on any implementations for other platforms in any way I
> > can.
> >
> > (Longer version)
> >
> > There is an existing issue for certificate pinning [1] from back in May
> of
> > 2013 and it's something that I need for all of our apps and even any I
> > might make for myself in the future.
> >
> > The last year or two have seen a pretty serious rise in both actual
> > exploits and awareness around the topic of security. There was an article
> > tweeted around recently about someone auditing mobile bank apps and found
> > that "40% of the audited apps did not validate the authenticity of SSL
> > certificates presented. This makes them susceptible to Man in The Middle
> > (MiTM) attacks" [2].
> >
> > If certificate pinning is something good, and we can make it easy to
> > implement, surely that would be a good thing? The whitelist is all well
> and
> > good, but most people are probably leaving the default "*" and even if
> they
> > didn't, it wouldn't protect them from MitM attacks.
> >
> > There *is* an existing plugin that attempts to do this for Cordova /
> > PhoneGap [3][4], but it has a pretty massive and fairly obvious flaw. It
> > simply checks the certificate then reports back in its callback. At first
> > this might seem OK, but as someone pointed out in an issue [5], an
> attacker
> > "could wait until the server is validated before adding the MITM server,
> > circumventing the security check". I am no security expert, so if I could
> > think of a way to get around this, then it's not very secure.
> >
> > What I am proposing, is adding certificate pinning to Cordova itself so
> > that the *actual* requests are checked (much like the whitelist). Not
> some
> > initial request, or having to try and do two requests for every request
> > (still leaving open the hole I spoke of above).
> >
> > I am looking for buy-in from the list, but I am also interested in
> > discussion on the best way to do it (and test it).
> >
> > My initial proposal is to use SHA1 fingerprints (much like Eddy's plugin
> > above [6]) as opposed to trying to get devs to embed an entire cert file
> in
> > their app. The easier it is to use the more likely people are to use it.
> If
> > they can get the fingerprint from any site they want to safely access by
> > simply using Chrome/Safari/etc, or a basic cli command, that would be
> best.
> > I envisage devs being able to even pin the certs for third party services
> > like Parse etc.
> >
> > A simple config.xml directive with key/value pairs of any
> > hosts/fingerprints should be all a dev needs to use this feature.
> >
> > - tommy
> >
> >
> >
> > 1. https://issues.apache.org/jira/browse/CB-3498
> > 2.
> >
> http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html
> > 3.
> >
> http://www.x-services.nl/certificate-pinning-plugin-for-phonegap-to-prevent-man-in-the-middle-attacks/734
> > 4.
> https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin
> > 5.
> >
> https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin/issues/5
> > 6.
> >
> https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin#3-usage
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message