Skip to content

MASTG-TEST-0242: Missing Certificate Pinning in Network Security Configuration

Overview

Apps can configure certificate pinning using the Network Security Configuration. For each domain, one or multiple digests can be pinned.

The goal of this test is to check if the app does not implement certificate pinning using the NSC. However, note that the app may be using other pinning methods covered in other tests.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Obtaining Information from the AndroidManifest to obtain the AndroidManifest.xml
  3. Use Analyzing the AndroidManifest to check if a networkSecurityConfig is set in the <application> tag.
  4. Use Analyzing the Network Security Configuration to extract all domains from <domain-config> that have a pin set (<pin-set>) from the Network Security Configuration file.

Observation

The output should contain a list of domains which enable certificate pinning.

Evaluation

The test case fails if no networkSecurityConfig is set, or any relevant domain does not enable certificate pinning.