Introduction Breaking best practice protection of the TLS protocol in an Android environment 2020-05-11 Version 1.0 Author Supervisor C.A.L. Mandjes F. de Korte Master student Radboud University Northwave Red team [email protected] [email protected] Supervisor Second reader Prof. dr. E. Verheul Dr. ir. E. Poll Radboud University Radboud University [email protected] [email protected] 1 Introduction Abstract Northwave’s Red team performs penetration testing on Android applications for its customers. As part of this test, the tester analyzes the data which is being transmitted between the application and its backend server. However, many applications are using the Transport Layer Security (TLS) protocol, which is an encryption protocol, with the certificate pinning technique implemented. In order to set up a man-in-the-middle attack, Northwave was using a tool called the Android-SSL-Trustkiller. This tool disables the certificate pinning technique so that a man- in-the-middle position can be deployed. However, the Android-SSL-Trustkiller is not working when the targeted Android application is using the SafetyNet Attestation service. Therefore, the goal of this research project is to find a new way to break the protection of the data sent in a TLS session, with certificate pinning and SafetyNet Attestation service implemented, in an Android environment. The SafetyNet Attestation service is an anti-abuse system that focusses on the integrity of the Android application and the Android device which it is running on. As part of the integrity checks on the Android device, it can detect whether a device is rooted. The Android-SSL-Trustkiller requires a rooted Android device; this is one of the reasons why this approach is not working when the targeted Android application is using the SafetyNet Attestation service. This research project proposes a solution, called the Android-CertificatePinning-Killer, to bypass certificate pinning for an Android application by deploying code modification at run- time. The Android-CertificatePinning-Killer can bypass the following certificate pinning libraries: Android’s default library and the OKHttp library. Since the SafetyNet Attestation service can detect rooted Android devices, several experiments are performed to bypass this service. In these experiments, the two root implementations, system and systemless root, are assessed to bypass the SafetyNet Attestation service. Based on the performed experiments, it can be concluded that the rooted OnePlus 3T Android device could not be detected by SafetyNet’s device integrity checks when it is using systemless root. 2 Introduction Contents 1 INTRODUCTION ...................................................................................................................... 7 1.1 CONTEXT ....................................................................................................................................................................7 1.2 PROBLEM DESCRIPTION ...............................................................................................................................................7 1.3 RESEARCH QUESTION ..................................................................................................................................................8 1.4 APPROACH .................................................................................................................................................................8 1.5 OUTLINE.....................................................................................................................................................................9 2 TRANSPORT LAYER SECURITY PROTOCOL .................................................................................. 11 2.1 INTRODUCTION ........................................................................................................................................................ 11 2.2 HISTORY .................................................................................................................................................................. 11 2.3 PROTOCOLS ............................................................................................................................................................. 11 2.3.1 TLS Record protocol....................................................................................................................................... 12 2.3.2 TLS Handshake protocol ............................................................................................................................... 14 2.3.3 TLS Change Cipher Spec protocol................................................................................................................ 17 2.3.4 TLS Alert protocol........................................................................................................................................... 18 2.3.5 TLS Application Data protocol ..................................................................................................................... 18 2.4 SECURITY CONTROLS ................................................................................................................................................ 19 2.4.1 Confidentiality ................................................................................................................................................ 19 2.4.2 Integrity ........................................................................................................................................................... 19 2.4.3 Authentication................................................................................................................................................ 19 2.4.4 Forward secrecy ............................................................................................................................................. 19 2.5 PROTOCOL WEAKNESSES .......................................................................................................................................... 20 2.5.1 Cryptographic aspects .................................................................................................................................. 20 2.5.2 Version aspects .............................................................................................................................................. 21 2.5.3 Implementation aspects ............................................................................................................................... 21 3 DIGITAL CERTIFICATES............................................................................................................ 24 3.1 INTRODUCTION ........................................................................................................................................................ 24 3.2 CERTIFICATE AUTHORITY........................................................................................................................................... 24 3.2.1 Chain of trust .................................................................................................................................................. 25 3.2.2 Baselines.......................................................................................................................................................... 25 3.3 X.509 STANDARD .................................................................................................................................................... 27 3.3.1 Certificate format .......................................................................................................................................... 27 3.3.2 Additional extensions and techniques ....................................................................................................... 28 3.4 CERTIFICATE VALIDATION.......................................................................................................................................... 30 3.4.1 Certification path processing ....................................................................................................................... 30 3.4.2 HTTP Public Key Pinning ............................................................................................................................... 31 3.4.3 Certificate pinning ......................................................................................................................................... 32 4 CERTIFICATE PINNING IMPLEMENTATION ................................................................................. 34 4.1 INTRODUCTION ........................................................................................................................................................ 34 4.2 ANDROID TLS IMPLEMENTATION.............................................................................................................................. 35 4.3 ANDROID CERTIFICATE PINNING IMPLEMENTATION .................................................................................................... 36 4.4 IOS IMPLEMENTATION ............................................................................................................................................. 38 5 ANDROID SAFETYNET SERVICE ................................................................................................ 40 5.1 INTRODUCTION .......................................................................................................................................................