MASTG-TEST-0243: Expired Certificate Pins in the Network Security Configuration
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
Apps can configure expiration dates for pinned certificates in the Network Security Configuration (NSC) by using the expiration attribute. When a pin expires, the app no longer enforces certificate pinning and instead relies on its configured trust anchors. This means the connection will still succeed if the server presents a valid certificate from a trusted CA (such as a system CA or a custom CA defined in the app's configuration). However, if no trusted certificate is available, the connection will fail.
If developers assume pinning is still in effect but don't realize it has expired, the app may start trusting CAs it was never intended to.
Example: A financial app previously pinned to its own private CA but, after expiration, starts trusting publicly trusted CAs, increasing the risk of compromise if a CA is breached.
The goal of this test is to check if any expiration date is in the past.
Steps¶
- Reverse engineer the app ( Decompiling Java Code).
- Inspect the AndroidManifest.xml, and check if a
networkSecurityConfigis set in the<application>tag. If yes, inspect the referenced file, and extract the expiration dates for every domain.
Observation¶
The output should contain a list of expiration dates for pinned certificates.
Evaluation¶
The test case fails if any expiration date is in the past.