Authentication / Application Signed with an Expired Certificate
Application signed with an expired certificate is an authentication vulnerability that occurs when an application, such as an app on Android, iOS, or a Mobile App, is signed with an expired certificate, allowing users to execute a malicious application. This vulnerability has been identified in the Common Weakness Enumeration (CWE) directory as CWE-296, “Authentication Bypass by Primary Weakness”, and is also listed in the OWASP Testing Guide as a vulnerability to test for.
This vulnerability presents a great risk as an attacker can use it to bypass authentication, gaining access to sensitive data or to execute malicious code. The risk of this vulnerability can be assessed as high, as it can allow an attacker to gain access to sensitive data and execute malicious code with ease.
A solution to this vulnerability is to ensure that all applications are regularly checked to ensure the certificates they are signed with are up to date and not expired. Additionally, if it is necessary to use an expired certificate, ensure that the application and the certificate are configured correctly in order to mitigate the risks associated with this vulnerability.
The following code is an example of an application signed with an expired certificate, taken from the CVE directory (CVE-2015-1131):
<XML version="1.0"> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>application-identifier</key> <string>com.mycompany.myapp</string> <key>get-task-allow</key> <false/> <key>keychain-access-groups</key> <array> <string>com.mycompany.myapp</string> </array> <key>com.apple.developer.team-identifier</key> <string>ABCDE12345</string> <key>signing-time</key> <date>2014-12-19T13:50:58+00:00</date> <key>signing-certificate</key> <array> <data> MIIDWzCCAk+gAwIBAgIIU9Q2/W+/v0J0wDQYJKoZIhvcNAQEFBQAwfzELMAkGA1UE BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZp ZXcxHzAdBgNVBAoMFlRoZSBMZWdpb24gU29sdXRpb25zIEZvdW5kYXRpb24xDzAN BgNVBAsMBkxvY2FsZTEbMBkGA1UEAwwSTG9jYWxlIFJvb3QgQ0EgMjAxNDAeFw0x NDAxMjkxMzUwNThaFw0yNDAxMjQxMzUwNThaMIGZMRkwFwYDVQQKExBUaGUgTGVn aW9uIFNvbHV0aW9uczERMA8GA1UECwwITG9jYWxlIENBMR8wHQYDVQQDDBZMb2Nh bGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAq/SE0LHp1mRfhOyc9XyXFYNf/GtjK/F/x0ZXbwLsT8T/dNrj0yCX bD8HsPnjJhx/n1zAzsT8T/dNrj0yCXbD8HsPnjJhx/n1zAzMwgD1fKG1R+vhc9Xy XFYNf/GtjK/F/x0ZXbwLs