Bug #22300
[External Audit Findings][Android] Certificate files hardcoded inside the app
| Status: | Closed | Start date: | 29 July 2025 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | yap chekying | % Done: | 100% | |
| Category: | - | Spent time: | - | |
| Target version: | - |
Description
Issue:
SSL Pinning is a security mechanism used to prevent man-in-the-middle attacks by validating the certificate of a trusted server during the SSL handshake. Developers store a list of trusted certificates within the app and use them to compare against the server certificate. Improper SSL Pinning implementation can make the app vulnerable to man-in-the-middle attacks if the certificate list is hardcoded and outdated.
Recommendation from pentester:
Developers are advised to add obfuscation to make decompilation difficult and to use public keys as variables to make reverse engineering difficult for attackers.
Please refer to attached excel for details.
History
#1 Updated by yap chekying about 1 month ago
- Subject changed from [External Audit][Android] Certificate files hardcoded inside the app to [External Audit Findings][Android] Certificate files hardcoded inside the app
#2 Updated by Hao Ter Tai about 1 month ago
- Assignee changed from Hao Ter Tai to Abdul Halim Baharom
#3 Updated by Hao Ter Tai about 1 month ago
- % Done changed from 0 to 50
238,044
30/7/2025 Bug #22300 [External Audit Findings][Android] Certificate files hardcoded inside the app
Issue:
SSL Pinning is a security mechanism used to prevent man-in-the-middle attacks by validating the certificate of a trusted server during the SSL handshake. Developers store a list of trusted certificates within the app and use them to compare against the server certificate. Improper SSL Pinning implementation can make the app vulnerable to man-in-the-middle attacks if the certificate list is hardcoded and outdated.
Solution:
Remove cert and add encrypted cert. Add logic to read the encrypted cert
Note:
commit to trunk
#4 Updated by Hao Ter Tai about 1 month ago
- Assignee changed from Abdul Halim Baharom to Hao Ter Tai
- % Done changed from 50 to 90
238,072
1–8-2025 Bug #22300 [External Audit Findings][Android] Certificate files hardcoded inside the app
Issue:
SSL Pinning is a security mechanism used to prevent man-in-the-middle attacks by validating the certificate of a trusted server during the SSL handshake. Developers store a list of trusted certificates within the app and use them to compare against the server certificate. Improper SSL Pinning implementation can make the app vulnerable to man-in-the-middle attacks if the certificate list is hardcoded and outdated.
Solution:
Update SSL pinning for UAT and PROD
#5 Updated by Hao Ter Tai about 1 month ago
- Status changed from New to Resolved
- Assignee changed from Hao Ter Tai to yap chekying
- % Done changed from 90 to 100
merged into trunk
#6 Updated by Hao Ter Tai about 1 month ago
238,098
5/8/2025 Bug #22300 [External Audit Findings][Android] Certificate files hardcoded inside the app
Remove ssl pinning as requested from OCBC
note: commit in trunk
#7 Updated by yap chekying about 1 month ago
- File RE OCBC Business Mobile app Audit Findings - July 2025.msg added
- Status changed from Resolved to Pending UAT
#8 Updated by yap chekying about 1 month ago
- Priority changed from Immediate to Normal
#9 Updated by yap chekying about 1 month ago
- Status changed from Pending UAT to Pending PROD
#10 Updated by yap chekying 13 days ago
- Status changed from Pending PROD to Closed
Released to production