The Downside of Improper Certificate Validation By Afour Technologies Automation testing company in USA | Cyber security testing services in USA So, what is certificate validation? Certificate Validation is an advanced feature for companies that need to confirm or authenticate the interaction between the client or application and the data stored on a server in order to prevent fraud. Because SSL server certificates are not properly verified and certificates with host-mismatch are improperly validated, this issue occurs. The ability to intercept encrypted communication using a man-in-the-middle attack and a specially crafted SSL certificate is available to remote attackers. Let's examine how to reproduce and recognize this problem in any Android mobile application to minimize any potential impact. Host mismatch occurs when an application communicates with a host that provides a certificate but does not adequately confirm that the certificate is actually connected to that host. The following OpenSSL code obtains a certificate and verifies it. cert = SSL_get_peer_certificate(ssl); if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) { // do secret things } So, what exactly happens when a certificate is invalid? ● It might enable a man-in-the-middle (MITM) attack, allowing an attacker to impersonate a reputable entity. The application may connect to a malicious host even though it thinks it is safe to do so. ● It may also lead to a loss of brand value and customer trust, which eventually may result in monetary losses. How to Identify? 1. Self-signed certificate Select the Options tab in BurpSuite, then navigate to the Proxy tab, select the Proxy Listeners section, highlight your listener, and click Edit. Then select Use a self-signed certificate under the Certificate tab and press OK. Run your application now. If HTTPS traffic is visible, your application is accepting self-signed certificates. Devops engineering services in USA | Test automation services in USA 2. Accepting certificates with an untrusted CA Select the Options tab in BurpSuite, then navigate to the Proxy tab, select the Proxy Listeners section, highlight your listener, and click Edit. After that, select the Generate a CA-signed certificate with a specific hostname checkbox on the Certificate tab and enter the hostname of the backend server. Run your application now. If HTTPS traffic is visible, your application is accepting certificates from an unreliable CA. 3. Accepting incorrect hostnames Select the Options tab in BurpSuite, then navigate to the Proxy tab, select the Proxy Listeners section, highlight your listener, and click Edit. Then, choose the option to create a CA-signed certificate for a particular hostname on the Certificate tab. Enter an incorrect hostname, such as yahoo.com. Run your application now. If you are able to see HTTPS traffic, your application is accepting all hostnames. Some Scenarios: 1. The attacker first sets up a proxy on the Android mobile device and establishes a connection with BurpSuite, which by default uses a trusted CA certificate. 2. In BurpSuite, the attacker replaces the default certificate with one that is either self-signed or invalid. 3. If certificate validation is not properly configured in a target mobile application, the application is unable to properly verify that the certificate originates from a reliable source. When connecting to a malicious host, a target application might mistake it for a legitimate one. 4. By supplying such a specially crafted SSL certificate, a remote attacker can carry out a man-in-the-middle attack and listen in on encrypted communication. Digital Transformation Services in USA | UI UX development services in USA Steps to curb such attacks: ● Certificates should be carefully managed and checked to assure that data is encrypted with the intended owner’s public key. ● If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname. The blog mentioned above is just one of many actions our team at AFour Technologies has taken to inform businesses about various security threats. Our security specialists would be delighted to speak with you if this is a topic that worries you or your company as well.