Comments (5)
SecBro1
commented on July 18, 2024
We intentionally did not add this functionality to QARK, largely due to the high likelihood of false positives.
Lack of certificate pinning is not a vulnerability by itself, since it does not directly result in an exploitable condition. It should be considered as more of a best practice.
If you would like to submit a pull request we'd be happy to review it. Otherwise, if you feel you have a list of particularly interesting strings to search for, which are not likely to result in a high false positive rate, we'd happily review it for possible inclusion in an upcoming version.
from qark.
thesp0nge
commented on July 18, 2024
Of course no exploitation is possiblebut no cert pinning makes possible mitm and it brings to a confidentiality loss (that's important for a mobile device). imho qark should have plugins to let people add checks at runtime like this one. What do you think?
from qark.
SecBro1
commented on July 18, 2024
We have recently added a feature to allow for running custom plug-ins. If you would like to create a plug-in for checking for certificate pinning, or any other types of custom check, I would suggest starting here: https://github.com/linkedin/qark/wiki/Plugins
Lack of certificate pinning does not make MitM possible and therefore, is not a vulnerability. It just changes who/where an attacker has to steal/forge the crypto from.
Certificate pinning is designed to protect against CA compromises and/or rogue CAs. No matter how you pin, you are simply shifting the burden of protecting the certificate signing infrastructure and crypto from one party to another. This generally entails removing trust for one or more CAs and relying solely on your organization's internal security.
from qark.
thesp0nge
commented on July 18, 2024
Certificate pinning is a countermeasure for MitM.
from qark.
SecBro1
commented on July 18, 2024
We have a method for running custom plug-ins, so if you want to write something to check for it, feel free.
You can call pinning whatever you'd like, but if an app doesn't implement certificate pinning, there is still no way to perform a MitM attack, against someone else, without stealing the associated crypto or creating new, valid crypto, in an otherwise secure system.
This is a well established opinion, supported by numerous parties, including Google:
https://www.nowsecure.com/blog/2014/07/17/when-a-vulnerability-is-not-really-a-vulnerability/
https://developer.android.com/training/articles/security-ssl.html#Pinning
Perhaps reviewing the OWASP documentation will help clear up any misconceptions about what pinning actually does: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
from qark.
Related Issues (20)
- Improper x.509 certificate validation in extensions of X509TrustManager with general conditions
- Improper x.509 certificate validation in extensions of X509TrustManager with Specific conditions
- can not install qark.
- Dex not supported
- Exported component not found because of code logic
- RecursionError: maximum recursion depth exceeded in comparison HOT 4
- 'xml.etree.ElementTree.Element' object has no attribute 'getchildren' HOT 1
- Failed to run APKTool HOT 4
- lesterdeMacBook-Pro% qark --help zsh: permission denied: qark
- exploit-apk not working on windows
- ImportError: No module named termios
- Error running dex2jar command HOT 1
- npm run generate error
- Broken logic since multidex
- 'qark' is not recognized as an internal or external command HOT 1
- Traceback error fix ?
- FAILURE: Build failed with an exception.
- Could not determine java version from '17.0.6'.
- Problem in Installing Qark requirements HOT 2
- Which is the latest working commit?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from qark.