Lack of Certificate Pinning


Description

The application does not implement certificate pinning when establishing secure network connections. Certificate pinning is the process of associating a pre-defined, authorized host with their expected X509 certificate or public key. Without certificate pinning, an attacker can perform a Man In The Middle (MITM) attack to intercept user data. 

Impact

An attacker with access to the application’s network traffic can use a lack of certificate pinning to intercept secure communications. An attacker could acquire a valid certificate through a compromised CA or by installing a trusted user CA on the device. Once the certificate is trusted, an attacker can perform Man In The Middle attacks on encrypted communications and capture sensitive or personal information.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply