Bug #22300

[External Audit Findings][Android] Certificate files hardcoded inside the app

Added by yap chekying 21 days ago. Updated 11 days ago.

Status:Pending PRODStart date:29 July 2025
Priority:NormalDue date:
Assignee:yap chekying% Done:

100%

Category:-Spent time:-
Target version:-

Description

Issue:
SSL Pinning is a security mechanism used to prevent man-in-the-middle attacks by validating the certificate of a trusted server during the SSL handshake. Developers store a list of trusted certificates within the app and use them to compare against the server certificate. Improper SSL Pinning implementation can make the app vulnerable to man-in-the-middle attacks if the certificate list is hardcoded and outdated.

Recommendation from pentester:
Developers are advised to add obfuscation to make decompilation difficult and to use public keys as variables to make reverse engineering difficult for attackers.

Please refer to attached excel for details.

Copy of Audit Findings - Silver lake - ver2.xlsx (5.15 MB) yap chekying, 29 July 2025 10:03 AM

RE OCBC Business Mobile app Audit Findings - July 2025.msg (364 KB) yap chekying, 06 August 2025 11:07 AM

History

#1 Updated by yap chekying 21 days ago

  • Subject changed from [External Audit][Android] Certificate files hardcoded inside the app to [External Audit Findings][Android] Certificate files hardcoded inside the app

#2 Updated by Hao Ter Tai 21 days ago

  • Assignee changed from Hao Ter Tai to Abdul Halim Baharom

#3 Updated by Hao Ter Tai 19 days ago

  • % Done changed from 0 to 50

238,044
30/7/2025 Bug #22300 [External Audit Findings][Android] Certificate files hardcoded inside the app

Issue:
SSL Pinning is a security mechanism used to prevent man-in-the-middle attacks by validating the certificate of a trusted server during the SSL handshake. Developers store a list of trusted certificates within the app and use them to compare against the server certificate. Improper SSL Pinning implementation can make the app vulnerable to man-in-the-middle attacks if the certificate list is hardcoded and outdated.

Solution:
Remove cert and add encrypted cert. Add logic to read the encrypted cert

Note:
commit to trunk

#4 Updated by Hao Ter Tai 17 days ago

  • Assignee changed from Abdul Halim Baharom to Hao Ter Tai
  • % Done changed from 50 to 90

238,072
1–8-2025 Bug #22300 [External Audit Findings][Android] Certificate files hardcoded inside the app
Issue:
SSL Pinning is a security mechanism used to prevent man-in-the-middle attacks by validating the certificate of a trusted server during the SSL handshake. Developers store a list of trusted certificates within the app and use them to compare against the server certificate. Improper SSL Pinning implementation can make the app vulnerable to man-in-the-middle attacks if the certificate list is hardcoded and outdated.

Solution:
Update SSL pinning for UAT and PROD

#5 Updated by Hao Ter Tai 17 days ago

  • Status changed from New to Resolved
  • Assignee changed from Hao Ter Tai to yap chekying
  • % Done changed from 90 to 100

merged into trunk

#6 Updated by Hao Ter Tai 13 days ago

238,098
5/8/2025 Bug #22300 [External Audit Findings][Android] Certificate files hardcoded inside the app

Remove ssl pinning as requested from OCBC

note: commit in trunk

#7 Updated by yap chekying 13 days ago

#8 Updated by yap chekying 13 days ago

  • Priority changed from Immediate to Normal

#9 Updated by yap chekying 11 days ago

  • Status changed from Pending UAT to Pending PROD

Also available in: Atom PDF