1

Information Protection Officer at my work requested me to produce a version of our Android App (quote) "...without SSL pinning for our.backend.domain.name.com" for vulnerability scanning purpose.

What does this mean? How can I produce this? Where can I find out more about this?

As additional information, the app has been under production use for about five year. The app is Cordova app using Crosswalk that targets Android SDK 19 to 28.

bluearth
  • 111
  • 2
  • Did you check if your application even uses certificate pinning? –  Mar 09 '22 at 06:18
  • My problem being that I am not familiar with the concept thus don't even know where to start looking. I googled around and found [this OWASP page](https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning) but it's still pretty dense for me. – bluearth Mar 09 '22 at 13:31
  • 1
    Read the [Cordova documentation](https://cordova.apache.org/docs/en/10.x/guide/appdev/security/#certificate-pinning): "Cordova does not support true certificate pinning...". On Android you can try to use [network security config](https://developer.android.com/training/articles/security-config#CertificatePinning) to perform cert pinning, not sure if this works for cordova apps. – Robert Mar 09 '22 at 15:00
  • @Robert From the link you provided, I went through all resources files of the app. I can't find any ```network_security_config.xml``` files nor other configuration files that contain network security config elements such as [``````](https://developer.android.com/training/articles/security-config#pin) or [``````](https://developer.android.com/training/articles/security-config#pin-set). Is it safe to say that my app does not employ certificate pinning? – bluearth Mar 10 '22 at 08:04
  • You won't find it unless you have created one and have linked it in `AndroidManifest.xml`. Check the various tutorials on that topic. – Robert Mar 10 '22 at 08:05
  • @bluearth You can check that quite easily by trying to intercept the traffic with [Burp](https://portswigger.net/burp) or [ZAP](https://www.zaproxy.org/). –  Mar 10 '22 at 10:22

0 Answers0