0

I am using fabric crashlytics in my android and iOS app. I integrated the fabric according to the documentation and everything is working fine. I am able to see the crashlytics and other data in the dashboard.

The issue is I did a penetration testing using IBM analyzer tool (free trial) and the result shows that there is an issue and the issue is certificate pinning issue. Now to confirm whether it is due to fabric/crashlytics I removed fabric and crashlytics from my project and ran penetration testing again. This time it does not show me any issue.

So my question is how is data passed between app and fabric servers and what can be done to solve this issue.

I have done the testing only with a .apk file. Will it be same for .ipa file also?

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
George
  • 3,600
  • 2
  • 26
  • 36
  • 1
    Todd from Fabric here. Out of the box, all Crashlytics data is transmitted over SSL. With SSL Pinning, Crashlytics drastically reduces the chance of a security breach due to certificate theft or complex man-in-the-middle attacks. Can you provide the full output if you are still looking into this? Thanks! :) – Todd Burner Jul 12 '17 at 13:25
  • We used the exact same IBM automated audit tool and got a similar issue... – Todd Burner are you still looking into this? – Robert Sherman Oct 24 '17 at 16:54
  • So I reached out to Fabric and even https://stackoverflow.com/users/2207583/todd-burner directly, got one reply, followed up again but since then it's been crickets chirping...not even a statement saying we're not going to bother with this. – Robert Sherman Oct 30 '17 at 13:33
  • I should ammend the tone of the above statement, I'm not blaming Fabric for needing time. It's on me to keep my organization informed, which is a little problematic when I have no direct involvement in investigation and crafting a solution. – Robert Sherman Oct 30 '17 at 13:50

1 Answers1

0

It's possible to view requests and responses of several endpoints from crashlytics.com in plain JSON with some help of SSL proxy tools like Charles. e.g.

enter image description here

The data is passed via HTTPS but no cert pinning is applied. It will be the same for .ipa file.

I personally don't think it's a serious issue. Just avoid sending sensitive data to crashlytics logs.

xiangxin
  • 409
  • 6
  • 18