Bug #22300
[External Audit Findings][Android] Certificate files hardcoded inside the app
| Status: | New | Start date: | 29 July 2025 | |
|---|---|---|---|---|
| Priority: | Immediate | Due date: | ||
| Assignee: | Abdul Halim Baharom | % Done: | 0% | |
| Category: | - | Spent time: | - | |
| Target version: | - |
Description
Issue:
SSL Pinning is a security mechanism used to prevent man-in-the-middle attacks by validating the certificate of a trusted server during the SSL handshake. Developers store a list of trusted certificates within the app and use them to compare against the server certificate. Improper SSL Pinning implementation can make the app vulnerable to man-in-the-middle attacks if the certificate list is hardcoded and outdated.
Recommendation from pentester:
Developers are advised to add obfuscation to make decompilation difficult and to use public keys as variables to make reverse engineering difficult for attackers.
Please refer to attached excel for details.
History
#1 Updated by yap chekying about 13 hours ago
- Subject changed from [External Audit][Android] Certificate files hardcoded inside the app to [External Audit Findings][Android] Certificate files hardcoded inside the app
#2 Updated by Hao Ter Tai about 13 hours ago
- Assignee changed from Hao Ter Tai to Abdul Halim Baharom