Skip to content

MASTG-TEST-0282: Unsafe Custom Trust Evaluation

Overview

This test evaluates whether an Android app uses checkServerTrusted(...) in an unsafe manner as part of a custom TrustManager, causing any connection configured to use that TrustManager to skip certificate validation.

Such unsafe implementations can allow an attacker to run a MITM attack with a valid (or self-signed) certificate and intercept or tamper with the app's traffic.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for the relevant APIs.

Observation

The output should contain a list of locations where checkServerTrusted(...) is used.

Evaluation

The test case fails if checkServerTrusted(...) is implemented in a custom X509TrustManager and does not properly validate server certificates.

Further Validation Required:

Inspect each reported code location using Reviewing Decompiled Java Code, looking for cases such as:

  • **Using checkServerTrusted(...) which is error prone, when NSC would be enough.
  • Trust manager that does nothing: overriding checkServerTrusted(...) to accept all certificates without any validation, for example by returning immediately without verifying the certificate chain or by always returning true.
  • Ignoring errors: failing to throw proper exceptions (e.g. CertificateException or IllegalArgumentException) on validation failure, or catching and suppressing them.
  • Using checkValidity() instead of full validation: relying only on checkValidity() checks whether the certificate is expired or not yet valid, but does not verify trust or hostname matching.
  • Explicitly loosening trust: disabling trust checks to accept self-signed or untrusted certificates for convenience during development or testing.
  • Misusing getAcceptedIssuers(): Returning null or an empty array without proper handling may effectively disable issuer validation.

Best Practices

MASTG-BEST-0021: Ensure Proper Error and Exception Handling

Demos

MASTG-DEMO-0054: Use of a TrustManager that Does Not Validate Certificate Chains