Merge pull request #10971 from joefarebrother/android-certificate-pinning

Java: Add Android missing certificate pinning query (CWE-295)

Author: atorralba

java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll

@@ -0,0 +1,140 @@
+/** Definitions for the Android Missing Certificate Pinning query. */
+
+import java
+import semmle.code.xml.AndroidManifest
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.Networking
+import semmle.code.java.security.Encryption
+import semmle.code.java.security.HttpsUrls
+
+/** An Android Network Security Configuration XML file. */
+class AndroidNetworkSecurityConfigFile extends XmlFile {
+  AndroidNetworkSecurityConfigFile() {
+    exists(AndroidApplicationXmlElement app, AndroidXmlAttribute confAttr, string confName |
+      confAttr.getElement() = app and
+      confAttr.getValue() = "@xml/" + confName and
+      this.getRelativePath().matches("%res/xml/" + confName + ".xml") and
+      this.getARootElement().getName() = "network-security-config"
+    )
+  }
+}
+
+/** Holds if this database is of an Android application. */
+predicate isAndroid() { exists(AndroidManifestXmlFile m) }
+
+/** Holds if the given domain name is trusted by the Network Security Configuration XML file. */
+private predicate trustedDomainViaXml(string domainName) {
+  exists(
+    AndroidNetworkSecurityConfigFile confFile, XmlElement domConf, XmlElement domain,
+    XmlElement trust
+  |
+    domConf.getFile() = confFile and
+    domConf.getName() = "domain-config" and
+    domain.getParent() = domConf and
+    domain.getName() = "domain" and
+    domain.getACharactersSet().getCharacters() = domainName and
+    trust.getParent() = domConf and
+    trust.getName() = ["trust-anchors", "pin-set"]
+  )
+}
+
+/** Holds if the given domain name is trusted by an OkHttp `CertificatePinner`. */
+private predicate trustedDomainViaOkHttp(string domainName) {
+  exists(CompileTimeConstantExpr domainExpr, MethodAccess certPinnerAdd |
+    domainExpr.getStringValue().replaceAll("*.", "") = domainName and // strip wildcard patterns like *.example.com
+    certPinnerAdd.getMethod().hasQualifiedName("okhttp3", "CertificatePinner$Builder", "add") and
+    DataFlow::localExprFlow(domainExpr, certPinnerAdd.getArgument(0))
+  )
+}
+
+/** Holds if the given domain name is trusted by some certificate pinning implementation. */
+predicate trustedDomain(string domainName) {
+  trustedDomainViaXml(domainName)
+  or
+  trustedDomainViaOkHttp(domainName)
+}
+
+/**
+ * Holds if `setSocketFactory` is a call to `HttpsURLConnection.setSSLSocketFactory` or `HttpsURLConnection.setDefaultSSLSocketFactory`
+ * that uses a socket factory derived from a `TrustManager`.
+ * `default` is true if the default SSL socket factory for all URLs is being set.
+ */
+private predicate trustedSocketFactory(MethodAccess setSocketFactory, boolean default) {
+  exists(MethodAccess getSocketFactory, MethodAccess initSslContext |
+    exists(Method m | setSocketFactory.getMethod() = m |
+      default = true and m instanceof SetDefaultConnectionFactoryMethod
+      or
+      default = false and m instanceof SetConnectionFactoryMethod
+    ) and
+    initSslContext.getMethod().getDeclaringType() instanceof SslContext and
+    initSslContext.getMethod().hasName("init") and
+    getSocketFactory.getMethod().getASourceOverriddenMethod*() instanceof GetSocketFactory and
+    not initSslContext.getArgument(1) instanceof NullLiteral and
+    DataFlow::localExprFlow(initSslContext.getQualifier(), getSocketFactory.getQualifier()) and
+    DataFlow::localExprFlow(getSocketFactory, setSocketFactory.getArgument(0))
+  )
+}
+
+/**
+ * Holds if the given expression is an qualifier to a `URL.openConnection` or `URL.openStream` call
+ * that is trusted due to its SSL socket factory being set.
+ */
+private predicate trustedUrlConnection(Expr url) {
+  exists(MethodAccess openCon |
+    openCon.getMethod().getASourceOverriddenMethod*() instanceof UrlOpenConnectionMethod and
+    url = openCon.getQualifier() and
+    exists(MethodAccess setSocketFactory |
+      trustedSocketFactory(setSocketFactory, false) and
+      TaintTracking::localExprTaint(openCon, setSocketFactory.getQualifier())
+    )
+  )
+  or
+  trustedSocketFactory(_, true) and
+  exists(MethodAccess open, Method m |
+    m instanceof UrlOpenConnectionMethod or m instanceof UrlOpenStreamMethod
+  |
+    open.getMethod().getASourceOverriddenMethod*() = m and
+    url = open.getQualifier()
+  )
+}
+
+private class MissingPinningSink extends DataFlow::Node {
+  MissingPinningSink() {
+    this instanceof UrlOpenSink and
+    not trustedUrlConnection(this.asExpr())
+  }
+}
+
+/** Configuration for finding uses of non trusted URLs. */
+private class UntrustedUrlConfig extends TaintTracking::Configuration {
+  UntrustedUrlConfig() { this = "UntrustedUrlConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    trustedDomain(_) and
+    exists(string lit | lit = node.asExpr().(CompileTimeConstantExpr).getStringValue() |
+      lit.matches("%://%") and // it's a URL
+      not exists(string dom | trustedDomain(dom) and lit.matches("%" + dom + "%"))
+    )
+  }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof MissingPinningSink }
+}
+
+/** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
+predicate missingPinning(DataFlow::Node node, string domain) {
+  isAndroid() and
+  node instanceof MissingPinningSink and
+  (
+    not trustedDomain(_) and domain = ""
+    or
+    exists(UntrustedUrlConfig conf, DataFlow::Node src |
+      conf.hasFlow(src, node) and
+      domain = getDomain(src.asExpr())
+    )
+  )
+}
+
+/** Gets the domain name from the given string literal */
+private string getDomain(CompileTimeConstantExpr expr) {
+  result = expr.getStringValue().regexpCapture("(https?://)?([^/]*)(/.*)?", 2)
+}

java/ql/lib/semmle/code/java/security/Encryption.qll

@@ -143,13 +143,22 @@ class CreateSslEngineMethod extends Method {
   }
 }
 
+/** The `setConnectionFactory` method of the class `javax.net.ssl.HttpsURLConnection`. */
 class SetConnectionFactoryMethod extends Method {
   SetConnectionFactoryMethod() {
     this.hasName("setSSLSocketFactory") and
     this.getDeclaringType().getAnAncestor() instanceof HttpsUrlConnection
   }
 }
 
+/** The `setDefaultConnectionFactory` method of the class `javax.net.ssl.HttpsURLConnection`. */
+class SetDefaultConnectionFactoryMethod extends Method {
+  SetDefaultConnectionFactoryMethod() {
+    this.hasName("setDefaultSSLSocketFactory") and
+    this.getDeclaringType().getAnAncestor() instanceof HttpsUrlConnection
+  }
+}
+
 class SetHostnameVerifierMethod extends Method {
   SetHostnameVerifierMethod() {
     this.hasName("setHostnameVerifier") and

java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.qhelp

@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Certificate pinning is the practice of only trusting a specific set of SSL certificates, rather than those that the device trusts by default.
+In Android applications, it is reccomended to use certificate pinning when communicating over the network, 
+in order to minimize the risk of machine-in-the-middle attacks from a compromised CA.
+</p>
+</overview>
+
+<recommendation>
+<p>
+The easiest way to implement certificate pinning is to declare your pins in a <code>network-security-config</code> XML file. 
+This will automatically provide certificate pinning for any network connection made by the app.
+</p>
+<p>
+Another way to implement certificate pinning is to use the `CertificatePinner` class from the `okhttp` library. 
+</p>
+<p>
+A final way to implement certificate pinning is to use a <code>TrustManager</code>, initialized from a <code>KeyStore</code> loaded with only the necessary certificates.
+</p>
+
+</recommendation>
+
+<example>
+<p>
+In the first (bad) case below, a network call is performed with no certificate pinning implemented. 
+The other (good) cases demonstrate the different ways to implement certificate pinning. 
+</p>
+<sample src="AndroidMissingCertificatePinning1.java" />
+<sample src="AndroidMissingCertificatePinning2.xml" />
+<sample src="AndroidMissingCertificatePinning3.java" />
+</example>
+
+<references>
+  <li>
+    OWASP Mobile Security: <a href="https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05g-testing-network-communication#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4">Testing Custom Certificate Stores and Certificate Pinning (MSTG-NETWORK-4)</a>.
+  </li>
+  <li>
+    Android Developers: <a href="https://developer.android.com/training/articles/security-config">Network security configuration</a>.
+  </li>
+  <li>
+    OkHttp: <a href="https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/">CertificatePinner</a>.
+  </li>
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Android missing certificate pinning
+ * @description Network connections that do not use certificate pinning may allow attackers to eavesdrop on communications.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.9
+ * @precision medium
+ * @id java/android/missing-certificate-pinning
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import java
+import semmle.code.java.security.AndroidCertificatePinningQuery
+
+from DataFlow::Node node, string domain, string msg
+where
+  missingPinning(node, domain) and
+  if domain = ""
+  then msg = "(no explicitly trusted domains)"
+  else msg = "(" + domain + " is not trusted by a pin)"
+select node, "This network call does not implement certificate pinning. " + msg

java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning1.java

@@ -0,0 +1,2 @@
+// BAD - By default, this network call does not use certificate pinning
+URLConnection conn = new URL("https://example.com").openConnection();

java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning2.xml

@@ -0,0 +1,21 @@
+<!-- GOOD: Certificate pinning implemented via a Network Security Config file -->
+
+<!-- In AndroidManifest.xml -->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app">
+
+    <application android:networkSecurityConfig="@xml/NetworkSecurityConfig">
+        ...
+    </application>
+
+</manifest>
+
+<!-- In res/xml/NetworkSecurityConfig.xml -->
+<network-security-config>
+    <domain-config>
+        <domain>good.example.com</domain>
+        <pin-set expiration="2038/1/19">
+            <pin digest="SHA-256">...</pin>
+        </pin-set>
+    </domain-config>
+</network-security-config>

java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning3.java

@@ -0,0 +1,26 @@
+// GOOD: Certificate pinning implemented via okhttp3.CertificatePinner 
+CertificatePinner certificatePinner = new CertificatePinner.Builder()
+    .add("example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
+    .build();
+OkHttpClient client = new OkHttpClient.Builder()
+    .certificatePinner(certificatePinner)
+    .build();
+
+client.newCall(new Request.Builder().url("https://example.com").build()).execute();
+
+
+
+// GOOD: Certificate pinning implemented via a TrustManager
+KeyStore keyStore = KeyStore.getInstance("BKS");
+keyStore.load(resources.openRawResource(R.raw.cert), null);
+
+TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+tmf.init(keyStore);
+
+SSLContext sslContext = SSLContext.getInstance("TLS");
+sslContext.init(null, tmf.getTrustManagers(), null);
+
+URL url = new URL("http://www.example.com/");
+HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); 
+
+urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());

java/ql/src/change-notes/2022-11-30-android-certificate-pinning.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `java/android/missing-certificate-pinning`, to find network calls where certificate pinning is not implemented.

java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test1/AndroidManifest.xml

@@ -0,0 +1,10 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app"
+    android:installLocation="auto"
+    android:versionCode="1"
+    android:versionName="0.1" >
+
+    <application android:networkSecurityConfig="@xml/NetworkSecurityConfig">
+    </application>
+
+</manifest>

java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test1/Test.java

@@ -0,0 +1,12 @@
+import java.net.URL;
+import java.net.URLConnection;
+
+class Test{
+    URLConnection test1() throws Exception {
+        return new URL("https://good.example.com").openConnection();
+    }
+
+    URLConnection test2() throws Exception {
+        return new URL("https://bad.example.com").openConnection(); // $hasUntrustedResult
+    }
+}