Authentication / Application Signed with an Expired Certificate

AndroidiOSMobile App

Description

Application signed with an expired certificate is an authentication vulnerability that occurs when an application, such as an app on Android, iOS, or a Mobile App, is signed with an expired certificate, allowing users to execute a malicious application. This vulnerability has been identified in the Common Weakness Enumeration (CWE) directory as CWE-296, “Authentication Bypass by Primary Weakness”, and is also listed in the OWASP Testing Guide as a vulnerability to test for.

Risk

This vulnerability presents a great risk as an attacker can use it to bypass authentication, gaining access to sensitive data or to execute malicious code. The risk of this vulnerability can be assessed as high, as it can allow an attacker to gain access to sensitive data and execute malicious code with ease.

Solution

A solution to this vulnerability is to ensure that all applications are regularly checked to ensure the certificates they are signed with are up to date and not expired. Additionally, if it is necessary to use an expired certificate, ensure that the application and the certificate are configured correctly in order to mitigate the risks associated with this vulnerability.

Example

The following code is an example of an application signed with an expired certificate, taken from the CVE directory (CVE-2015-1131):

<XML version="1.0">
   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
   <plist version="1.0">
      <dict>
         <key>application-identifier</key>
         <string>com.mycompany.myapp</string>
         <key>get-task-allow</key>
         <false/>
         <key>keychain-access-groups</key>
         <array>
            <string>com.mycompany.myapp</string>
         </array>
         <key>com.apple.developer.team-identifier</key>
         <string>ABCDE12345</string>
         <key>signing-time</key>
         <date>2014-12-19T13:50:58+00:00</date>
         <key>signing-certificate</key>
         <array>
            <data>
               MIIDWzCCAk+gAwIBAgIIU9Q2/W+/v0J0wDQYJKoZIhvcNAQEFBQAwfzELMAkGA1UE
               BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZp
               ZXcxHzAdBgNVBAoMFlRoZSBMZWdpb24gU29sdXRpb25zIEZvdW5kYXRpb24xDzAN
               BgNVBAsMBkxvY2FsZTEbMBkGA1UEAwwSTG9jYWxlIFJvb3QgQ0EgMjAxNDAeFw0x
               NDAxMjkxMzUwNThaFw0yNDAxMjQxMzUwNThaMIGZMRkwFwYDVQQKExBUaGUgTGVn
               aW9uIFNvbHV0aW9uczERMA8GA1UECwwITG9jYWxlIENBMR8wHQYDVQQDDBZMb2Nh
               bGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
               MIIBCgKCAQEAq/SE0LHp1mRfhOyc9XyXFYNf/GtjK/F/x0ZXbwLsT8T/dNrj0yCX
               bD8HsPnjJhx/n1zAzsT8T/dNrj0yCXbD8HsPnjJhx/n1zAzMwgD1fKG1R+vhc9Xy
               XFYNf/GtjK/F/x0ZXbwLs

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.