mobsf.mobsfscan.best_practices.tls_certificate_transparency.android_certificate_transparency

profile photo of MobSFMobSF
Author
unknown
Download Count*
License

This app does not enforce TLS Certificate Transparency that helps to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority.

Run Locally

Run in CI

Defintion

rules:
  - id: android_certificate_transparency
    patterns:
      - pattern-either:
          - pattern: |
              import com.babylon.certificatetransparency;
          - pattern: |
              new CTInterceptorBuilder(...)
          - pattern: |
              new CTHostnameVerifierBuilder(...)
    message: This app does not enforce TLS Certificate Transparency that helps to
      detect SSL certificates that have been mistakenly issued by a certificate
      authority or maliciously acquired from an otherwise unimpeachable
      certificate authority.
    languages:
      - java
    severity: INFO
    metadata:
      cwe: cwe-295
      owasp-mobile: m3
      masvs: network-4
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other