React-native-code-push: Certificate pinning?

Created on 14 Feb 2019 · 14Comments · Source: microsoft/react-native-code-push

Hi,

Does codepush pins the server certificate when checking for updates?

enhancement

Source

boliveira

All 14 comments

@geof90 , can you give some help here please? I have a react native app that is being tested for security problems and the test team detected that codepush does not verify the public key of the server certificate when downloading the updates. I use code signing feature but should I worry about this??? Any input would help.....

boliveira on 14 Feb 2019

ping @alexandergoncharov

boliveira on 15 Feb 2019

Hi @boliveira,
Thanks for reporting!

By default CodePush doesn't use code signing feature. For enabling it you should just add CodePushPublicKey filed to you info.plist file for IOS or /strings.xml` file for Android.
For test it you can add this filed, release new update without signing with private key and try to install this update. You should get error.

Please let me know if it was helpful or you have any questions.

alexandergoncharov on 15 Feb 2019

Hi alexandre, thanks for answering.

I was not talking about code signing feature as I am already doing it, but instead of checking the server certificate public key when connecting to the update server to download the updates. In a mitm scenario, someone could pretend to be the server and respond with a certificate that is valid but is not the real one. Public key pinning is a way to prevent that. Is it possible to do here?

boliveira on 15 Feb 2019

@boliveira, Could you please describe more detailed about server certificate public key? Where did you find it and how is it possible to reproduce it for me?

alexandergoncharov on 18 Feb 2019

Hi alexander,

I am talking about HTTP Public Key Pinning. Codepush makes https requests for the following sites:

https://codepush.azurewebsites.net/
https://codepush.blob.core.windows.net/

But it doesn't validate if the public key of the certificates of these two sites are the expected ones. This leaves it open to man-in-the-middle attack scenarios where someone malicious can send a valid certificate claiming that it is from these websites. With HPKP, you need to also check that the public key of the certificate you received is the one that corresponds to the current server certificate for these websites. One way to do this is to embed the public keys of these sites in the code and check against it when establishing the connection.

boliveira on 22 Feb 2019

👍1

@boliveira, Yeah, got it. But CodeSigning should handle this.
Could you please describe situation if someone can send a valid certificate?

alexandergoncharov on 25 Feb 2019

@alexandergoncharov , yes I know code signing handles this but the security team that is certificating my app didn't like that there wasn't a validation of the server certificate when checking and downloading the update, specially when the downloaded update was kept on the user's device even after the code sign validation failed. So HPKP wasn't implemented because of code signing already handling this scenario or was it an oversight? You can test this scenario using a proxy like Charles Webproxy.

boliveira on 26 Feb 2019

Hi @boliveira,

Yeah, you are right. HPKP wasn't implemented because of code signing already handling this scenario and this should be enough for security and we don't have implementing HPKP on our roadmap for now. Sorry for this.

Please let me know if it was helpful or you have any questions.

alexandergoncharov on 6 Mar 2019

Hi @alexandergoncharov ,

Ok, thanks for clarifying. But it should be implemented to avoid downloading an update and storing it on the user's device when it's not coming from codepush servers.

boliveira on 6 Mar 2019

Hi @boliveira,
Sorry for delay.

I think that it isn't required that this case is handled by code-signing feature but I'll discuss this with my team. I'll be keep your posted.

Please let me know if you have any questions.

alexandergoncharov on 26 Apr 2019

Hi @boliveira,
Sorry for this long delay.

We discussed this feature request with my team we think that the idea is good but right now we are going to start working on the new CodePush version(please check the update section on the top of the readme) and we will investigate your request closer. But for now, you can use code signing feature which fully decides security issue. https://github.com/Microsoft/code-push/tree/master/cli#code-signing

Please let me know if you have any questions.

alexandergoncharov on 13 Jun 2019

Hi @alexandergoncharov,

Thanks for following up on this. I have implemented the code signing feature on my app and it is now in production. But I believe that validating the server where you are getting the updates from would be a valuable feature to avoid downloading bits of data if the server is not trusted.

boliveira on 13 Jun 2019

👍1

Let me +1 on this issue. We are using code-push, and unfortunately we are using the older "JSBundle" format which DOES NOT verify hash or signature. It seems that some ISPs in China are hijacking the code pushing server, or at least disrupting the blob server so the http content-length is incorrect.

With an invalid bundle downloaded, all our client apps went blank 🤕, and there was no way to recover except to ask our clients to reinstall their apps.

Chinese ISPs are insane, they WILL hijack/tamper with connections if they can.

PLEASE enable HTTPS verification, security should be enabled by default.

We traced down the client-side bundle download code to here:

https://github.com/microsoft/react-native-code-push/blob/6ae9392d81eb5a8377664681da7ca673e630c481/android/app/src/main/java/com/microsoft/codepush/react/CodePushUpdateManager.java#L169

If connection.getContentLength() is 0, or something incorrect, the invalid bundle would be allowed.