Reputation: 11
Crittercism Weak SSL Cipher Suites are Supported and Lack of Certificate Pinning
Our security team has performed a security scan on our mobile application and found the following vulnerabilities:
Vulnerability Name: Weak SSL Cipher Suites are Supported
Vulnerability Type: attWeakCipherSuites
Calling Method: com.crittercism.internal.ca.a(com.crittercism.internal.bz):com.crittercism.internal.cb
Method Signature: javax.net.ssl.SSLParameters.setCipherSuites(java.lang.String[]):void
Location: (Unknown)
Issue Validation Parameter - Name: cipherSuites
Issue Validation Parameter - Value: [TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Vulnerability Name: Lack of Certificate Pinning
Vulnerability Type: attSSLCertificatePinning
Calling Method: com.crittercism.internal.ca.a(com.crittercism.internal.bz):com.crittercism.internal.cb
Method Signature: java.net.URL.openConnection():java.net.URLConnection
Location: (Unknown)
Issue Validation Parameter - Name: this
Issue Validation Parameter - Value: https://5-8-10-android.appload.ingest.crittercism.com/v0/config
Can someone help me resolve the issues above?
Platform: Android
Framework: React-native
Upvotes: 0
Views: 739
Answers (1)
Reputation: 13074
Your Questions
First question
Vulnerability Name: Weak SSL Cipher Suites are Supported Vulnerability Type: attWeakCipherSuites
You need to pass only the latest recommended ciphers suites and you can read what ones are in the Mozilla site.
Currently the most secure ones are the ones recommended for Modern Compatibility
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Second question
Vulnerability Name: Lack of Certificate Pinning Vulnerability Type: attSSLCertificatePinning
Once you are using React Native you may want to try the react-native-cert-pinner package:
This package manages TLS certificate pinning in react-native for Android and iOS.
You should read the README of the package for the detailed instructions, but as a quick start, this may work:
npm install react-native-cert-pinner --save
followed by an automated installation:
react-native link react-native-cert-pinner
Otherwise you should try, from the README, the manual installation for Android.
Going the Extra Mile
If you want to understand why you should be using Certificate Pinning, you can read this blog post on these 2 sections:
What is Certificate Pinning?
It will briefly explain what it is and how it works in an high level, and what to pin.
Certificate pinning is the mechanism of associating a domain name with an expected SSL/TLS certificate, technically and more accurately known as an X.509 certificate.
Why do we need Certificate Pinning?
Here it explains why is needed to be used in order to prevent trust based assumptions and to protect against use in hostile environments.
While https gives you confidentiality, integrity and authenticity in the communication channel between the mobile app and the API server, certificate pinning will protect this same guarantees from being broken.
Upvotes: 0
Related Questions
- It failed because the native React runtime does not include the Node standard library
- Requiring unknown module "crypto" in react-native environment
- OkHttp certificatePinner seems not working
- React native crypto module issue
- react native ssl pinning
- Implementing ssl pinning in a react-native application using TrustKit iOS
- Possible dynamic SSL Cert Pinning?
- How can I implement SSL Certificate Pinning while using React Native
- React Native network request failed
- Receiving and error for https in react-native