Android certificate trust Problems and big cousin

Android certificate trust Problems and big cousin
0x00 cause 1. Recent major hijacking of icloud.com, yahoo.com, and apple.com
2. wooyun platform and CVE all receive a large number of vulnerabilities related to the Android APP's trust in all certificates.
3. The 360 browser does not prompt a certificate error when MITM is mentioned in an article written by a foreigner about cousin.


Previously, the issue of trusted certificates has been mentioned, but this vulnerability is widely ignored because it is used in scenarios that require MITM (Man-in-the-middle attack ). In general, MITM is relatively rare compared with other attacks. If you have good surfing habits such as not accessing untrusted networks, you will be less likely to suffer from such attacks. However, the recent MITM attack is based on changes made to the core Backbone Network BGP, so the hijacking scope is very wide. It is really difficult to prevent. Have you been hijacked?
0x01 Popular Science
Https & ssl
To improve website security, https transmission is generally used on sensitive pages, such as registration, logon, and console. For example, Gmail, online banking, and icloud all Use https for transmission. Https/ssl mainly plays two roles: website authentication, content Encryption Transmission, and data consistency. A certificate issued by a CA can be used to authenticate the certificate. All valid certificates can be used for encrypted transmission.
Digital Certificate
It is mainly used for identity authentication on the Internet. The Security site obtains a digital Certificate after being authenticated by the CA (Certificate Authority) to identify the authenticity of its legal identity. Digital Certificates are mainly divided into server certificates and client certificates. Server certificates (SSL certificates) are used to encrypt identity authentication and communication. client certificates are mainly used for identity authentication and electronic signatures. You are charged for applying for a certificate from a CA.
Self-signed certificate

A certificate that is not issued by a CA. It is obtained using a self-signed certificate. A dialog box is usually displayed in a Web browser asking if you want to trust a self-signed certificate. This is free of money.


Man-in-the-middle attack
An attacker creates independent connections with both ends of the communication and exchanges the received data so that the two ends of the Communication think that they are directly talking to each other through a private connection, but in fact, the entire session is completely controlled by attackers. In man-in-the-middle attacks, attackers can intercept calls from both parties and insert new content. In many cases, this is very simple.
0x02 analysis if you simply implement android webview to load web pages, If you directly access the trusted Certificate site, it can be displayed normally, however, if you access a site with a self-signed certificate, the notfound page is displayed. (Apple.com and apple.com.cn are hijacked at the time of writing this article)

Logcat displays insecure content on the webpage.

Web Console: The page displayed insecure content!


The following is a reminder when a mobile browser with sound functions accesses a site with a self-signed certificate:

If you access the self-signed certificate site on the PC end, a reminder is displayed on the left.

To solve
Javax.net. ssl. SSLPeerUnverifiedException: No peer certificate

Developers often use the following error solutions. This is because browser applications adopt such solutions, which poses a greater risk.


Override google's default certificate check mechanism

Class bv implements X509TrustManager {bv (bu parambu) {} public void checkClientTrusted (X509Certificate [] paramArrayOfX509Certificate, String paramString) {// Do nothing-> accept any certificates} public void checkServerTrusted (X509Certificate [] paramArrayOfX509Certificate, String paramString) {// Do nothing-> accept any certificates} public X509Certificate [] getAcceptedIssuers () {return null ;}} trust all host names public static HttpClient getNewHttpClient () {try {// obtain the key library KeyStore trustStore = KeyStore. getInstance (KeyStore. getDefaultType (); trustStore. load (null, null); SSLSocketFactory sf = new SSLSocketFactoryEx (trustStore); // trust all host names sf. setHostnameVerifier (SSLSocketFactory. ALLOW_ALL_HOSTNAME_VERIFIER); HttpParams params = new BasicHttpParams (); HttpProtocolParams. setVersion (params, HttpVersion. HTTP_1_1); HttpProtocolParams. setContentCharset (params, HTTP. UTF_8); SchemeRegistry registry = new SchemeRegistry (); registry. register (new Scheme ("http", PlainSocketFactory. getSocketFactory (), 80); registry. register (new Scheme ("https", sf, 443); ClientConnectionManager ccm = new ThreadSafeClientConnManager (params, registry); return new DefaultHttpClient (ccm, params );} catch (Exception e) {return new DefaultHttpClient () ;}} empty HostnameVerifierHostnameVerifier hv = new HostnameVerifier () {@ Overridepublic boolean verify (String hostname, SSLSession session) {// Always return true-> Accespt any host namesreturn true ;}};

In fact, as early as October February, there was a storm: the Android platform's app overwrites google's default certificate checking mechanism (X509TrustManager) afterwards, no security check is performed on the certificate, and all abnormal https certificates are directly accepted. This dangerous connection will not be terminated without reminding users of security risks. The HostnameVerifier section is not described in detail.
As mentioned above, no certificate error message is prompted when a PC 360 browser is hijacked, which is hard to believe. In addition to the recent frequent android app certificate problems, I wonder if some mobile browsers may have such vulnerabilities. This risk exists in 360 mobile browsers and sogou browsers during the test.
Baidu and travel easily detect certificate exceptions


And 360 and sogou directly loaded into the hijacked website.


Decompile and view the code of the browser, and handle certificate exceptions


The sogou browser does improper handling of Certificate Trust for all host names

Keywords: checkServerTrusted, setHostnameVerifier, ALLOW_ALL_HOSTNAME_VERIFIER, X509TrustManager, onReceivedSslError
0x03 compared to mainstream mobile browsers, the test objects include: firefox, chrome, UC browser, sogou browser, Baidu browser, 360 security browser, oupeng browser, travel cloud browser, and Cheetah browser.
Test method: Visit https://example.com/on the mobile phone to check whether the server is properly awake. (Update: This method is invalid .)
Webpage loading without reminder: 360 security browser, Cheetah browser, and sogou Browser
Normal Security reminder: firefox, chrome, UC browser, Baidu browser, oupeng browser, and travel cloud Browser
0x04 recommended developers:
1. For non-browser apps, if you have the money to apply for a ca certificate, you do not have the money to add a certificate to the client. Do not trust all certificates.
2. the browser app strictly follows the client verification server certificate process:
Check whether the certificate has expired
Is CA reliable?
Can the CA Public Key properly unbind the CA digital signature of the server certificate, that is, the certificate signature value?
Whether the domain name on the server certificate matches the actual Domain Name of the server

3. We recommend that you use setHostnameVerifier (SSLSocketFactory. STRICT_HOSTNAME_VERIFIER)

Users: use apps with better security