Android - Security SSL #68
Assignees
Labels
enhancement
New feature or request
Comments
|
Thanks for the detailed explanation! I will add them under the OWASP rules. Will keep you updated on the progress! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We can try to incorporate test cases that can be used to identify issues with SSL/TLS in Android apps. Reference Doc: https://developer.android.com/training/articles/security-ssl
Loading custom certificates into the Android KeyStore.
This is usually done to accept self-signed certs or certs signed using unknown CA.
Regex Used: .keyStore.setCertificateEntry.
HostName Verifier.
Failing to check the hostname for a certificate.
Regex: *public boolean verify(.String.SSLSession.)
NOTE:
===> This check needs to be done on the entire function and not just on the line of code. The function content has to be chunked out and matched with .return true;.
Overriding SSLCheck in WebViews
This is already a part of owasp_static_android.txt
Overriding SSL Check
Android apps can override SSL checks thus suppressing any SSL validation error.
Regex: checkServerTrusted.*{}
NOTE:
====> This check needs to be done on the entire function and not just on the line of code. The function content has to be chunked out and matched with an empty string.
According to the official Android doc,
Caution: SSLSocket does not perform hostname verification. It is up to your app to do its own hostname verification, preferably by calling getDefaultHostnameVerifier() with the expected hostname. Further beware that HostnameVerifier.verify() doesn't throw an exception on error but instead returns a boolean result that you must explicitly check.
Regex: .*SSLSocket.createSocket(.
The text was updated successfully, but these errors were encountered: