How to do certificate chain validation on Android and iOS?

Question

Our app's security testing got a security issue related to certificate chain validation. It's CWE-296 https://cwe.mitre.org/data/definitions/296.html

To my knowledge, adding a certificate pinning solves this problem but I'm not sure if there is a way to do certificate chain validation without pinning.

OWASP-MASVS also mentions about CWE-296 here under references

Can someone please provide more knowledge on this? Possibly share some example app which does this.

We're using Okhttp for networking!

score 1 · Accepted Answer · answered Jul 30 '21 at 15:01

Based on discussion with Jeroen Beckers and Sven Schleier from OWASP MSTG team, I learned that networking library (in our case Okhttp) should handle certificate chain validation by default. Unless the app has specific custom implementation of TrustManager where its trusting all certificate.

Sven mentioned that,

once all the certificate checks are in place (chain validation, expiry of the certificate etc.), SSL Pinning can be implemented. So validation of the chain of trust for certificates always need to be there, SSL Pinning is then just another layer to make Man-in-the-middle attacks harder.

Our issue might be false positively flagged by pen-tester.

Link of the discussion on OWASP Slack channel

How to do certificate chain validation on Android and iOS?

1 Answers1