避免禁用证书固定Android
[英]Avoid disabling certificate pinning Android
问题描述
I am developing an Android application that uses Certificate Pinning (in a similar fashion such this ). 
我正在开发一个使用证书的限制(以类似的方式,例如Android应用此 )。
However, I've came across dynamic instrumentation libraries such as Frida , or worse yet, Objection , that can bypass this safeguard. 但是,我遇到了诸如Frida之类的动态工具库,或者更糟的是Objection ,它可以绕过这种保护措施。
I understand that security must be implemented on server side, but, I'd like to keep prying eyes outside my API. 我知道必须在服务器端实现安全性,但是,我想在我的API之外继续窥视。 Moreover I also understand that Java executables are easy to disassemble and analyze. 此外,我还理解Java可执行文件易于反汇编和分析。
How can I make this process more difficult for an attacker, ie make basic commands such as objection 's 对于攻击者,我如何使此过程变得更加困难,即发出基本命令(例如objection )
android sslpinning disable
fail and harden my app? 失败并强化我的应用程序? I've seen that depending on the namings of the assets this process also crashes. 我已经看到,根据资产的名称,此过程也会崩溃。
Any ideas? 有任何想法吗?
2 个解决方案
解决方案1
1 已采纳 2019-02-09 12:48:26
Several harding frameworks can make it more difficult for Frida and similar tools to attach and manipulate the app process. 几个强化框架可能会使Frida和类似工具难以附加和操纵应用程序过程。 However with enough time, motivation and/or money you can even break those frameworks. 但是,只要有足够的时间,动力和/或金钱,您甚至可以打破这些框架。
However usually it is not the question "using a hardening framework or not" but "how many money are you willing to pay to get this little extra protection? 但是,通常不是“是否使用强化框架”这个问题,而是“您愿意为获得这种额外的保护支付多少钱?
From my knowledge there are no free or even cheap hardening frameworks (please correct me if I am wrong and provide links to those free/cheap solutions with good protection), therefore it is just a question how much protection you want and how much you are willing to pay. 据我所知,没有免费甚至廉价的强化框架(如果我错了,请纠正我,并提供具有良好保护的免费/廉价解决方案的链接),因此,这只是一个问题,您需要多少保护,您需要多少保护愿意付钱。
Note: Proguard and R8 are not hardening frameworks! 注意:Proguard和R8并不是强化框架! They only just obfuscate the code a bit, but especially when it comes to certificate pinning and disabling this via Frida they do not offer any protection! 他们只是稍微混淆了代码,但是特别是当涉及到证书固定和通过Frida禁用它时,它们不提供任何保护!
解决方案2
1 2019-05-10 16:08:44
Possible Solution 可能的解决方案
How can I make this process more difficult for an attacker
A possible solution for your problem is to use a Mobile App Attestation solution to guarantee at run-time that your mobile app is not being MitM attacked, is not tampered, is not running in a rooted device, is not attached to a debugger and no instrumentation frameworks is present. 针对您的问题的可能解决方案是使用移动应用程序证明解决方案,以在运行时保证您的移动应用程序未受到MitM攻击,未被篡改,不在有根设备中运行,未连接到调试器且没有存在检测框架。 This is achieved by running a SDK in the background that will communicate with a service running in the cloud to attest the integrity of the mobile app and the device is running on. 这是通过在后台运行SDK来实现的,该SDK将与在云中运行的服务进行通信以证明移动应用和设备正在运行的完整性。 The SDK in the mobile app doesn't make any decisions about the integrity of the app or mobile device, that is done in the cloud service, based on measurements provided by the mobile app. 移动应用程序中的SDK不会根据移动应用程序提供的度量标准对应用程序或移动设备的完整性做出任何决定(在云服务中完成)。
So on a successful attestation of the mobile app integrity, by the cloud service, a short time lived JWT token is issued and signed with a secret that only the API server and the Mobile App Attestation service in the cloud are aware. 因此,在通过云服务成功证明移动应用程序完整性时,将发布并使用一个秘密的短暂生存期的JWT令牌进行签名,该秘密只有云中的API服务器和移动应用程序证明服务才知道。 In the case of failure on the mobile app attestation the JWT token is signed with a secret that the API server does not know. 如果移动应用程序证明失败,那么将使用API服务器不知道的秘密对JWT令牌进行签名。
Now the App must sent with every API call the JWT token in the headers of the request. 现在,应用程序必须与每个API一起发送,并在请求的标头中调用JWT令牌。 This will allow the API server to only serve requests when it can verify the signature and expiration time in the JWT token and refuse them when it fails the verification. 这将允许API服务器仅在它可以验证JWT令牌中的签名和到期时间时才服务请求,而在验证失败时拒绝它们。
Once the secret used by the Mobile App Attestation service is not known by the mobile app, is not possible to reverse engineer it at run-time even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack. 一旦移动应用程序不知道移动应用程序证明服务使用的机密,就无法在运行时对其进行反向工程,即使该应用程序被篡改,在有根设备中运行或通过正在作为连接的连接进行通信中间攻击中一名男子的目标。
So this solution works in a positive detection model without false positives, thus not blocking legit users while keeping the bad guys at bays. 因此,此解决方案可在没有误报的积极检测模型中工作,因此不会阻止合法用户,同时又阻止了坏人。
Any ideas?
You can try to roll your own solution or you can look for an existing Mobile App Attestation SAAS solution, like Approov (I work here), that provides SDKs for several platforms, including iOS, Android, React Native and others. 您可以尝试推出自己的解决方案,也可以寻找现有的移动应用证明SAAS解决方案,例如Approov (我在这里工作),该解决方案为多个平台(包括iOS,Android,React Native等)提供SDK。 The integration will also need a small check in the API server code to verify the JWT token issued by the cloud service. 集成还需要在API服务器代码中进行少量检查,以验证由云服务发出的JWT令牌。 This check is necessary for the API server to be able to decide what requests to serve and what ones to deny. API服务器必须能够执行此检查,才能决定服务哪些请求以及拒绝哪些请求。
Summary 摘要
In the end, the solution to use in order to protect your API server and mobile app must be chosen in accordance with the value of what you are trying to protect and the legal requirements for that type of data, like the GDPR regulations in Europe. 最后,必须根据您要保护的内容的价值以及此类数据的法律要求(例如欧洲的GDPR法规)来选择用于保护API服务器和移动应用程序的解决方案。
Going the Extra Mile 多走一英里
You seem to be into mobile app security, does I would like to recommend you: 您似乎对移动应用程序的安全性感兴趣,我是否建议您:
OWASP Mobile Security Project - Top 10 risks OWASP移动安全项目-十大风险
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.