Skip to content

MASTG-TEST-0242: Missing Certificate Pinning in Network Security Configuration

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

Apps can configure certificate pinning using the Network Security Configuration. For each domain, one or multiple digests can be pinned.

The goal of this test is to check if the app does not implement certificate pinning using the NSC. However, note that the app may be using other pinning methods covered in other tests.

Steps

  1. Reverse engineer the app ( Decompiling Java Code).
  2. Obtain the AndroidManifest.xml ( Obtaining Information from the AndroidManifest), and check if a networkSecurityConfig is set in the <application> tag.
  3. Inspect the referenced network security config file, and extract all domains from <domain-config> which have a pin set (<pin-set>).

Observation

The output should contain a list of domains which enable certificate pinning.

Evaluation

The test case fails if no networkSecurityConfig is set, or any relevant domain does not enable certificate pinning.