2

Recently I have used the retrofit 2.3.0 networking library in my project. I have also implemented SSL pinning for securing the app, using the CertificatePinner class in the Okhttp and thus Retrotif.

However, after another team has run a comprehensive penetration test on our APK, they have been successful to tamper with the CertificatePinner class in the Okhttp client, resulting in gaining access to the plain messages that are being sent to the web services.

Since we have to exclude Retrofit and Okhttp classes from the proguard process, by writing their specific keep-rules, we conclude this was the main cause of their successful reverse engineering.

Anyway, the following questions have arised considering the situation :

1- Why in the first place, the retrofit and okhttp need proguard rules ?

2- What is the possible secure workaround for this problem ?

3- Do we need to replace the Retrofit with yet another library like Volley or AsyncHttpClient ?

Farhad
  • 12,178
  • 5
  • 32
  • 60
  • 3
    "Why in the first place, the retrofit and okhttp need proguard rules ?" -- what makes you think that they are needed? [Jake Wharton doesn't think that any are needed for OkHttp, for example](https://github.com/square/okhttp/issues/2230#issuecomment-236068544). "What is the possible secure workaround for this problem ?" -- there is none. Anything can be reverse-engineered. The point behind certificate pinning is to prevent MITM attacks. Hacked clients can always get the plaintext. – CommonsWare Aug 27 '17 at 12:38
  • I don't know how the team tampered the CertificatePinner, but I assume they just modified the APK. Therefore replacing the Java based implementation will not help you. You have to apply a harding tool that protects your APK as a whole and/or switch to native implementation (no Java). That will make reverse-engineering a bit harder but not impossible. – Robert Aug 27 '17 at 13:00
  • @Robert Do you know any samples about how to implement hardening for APK in android ? any frameworks or routines ? – Farhad Aug 27 '17 at 13:18
  • The Answer is simple: Buy a good harding framework. Everything you will be able to implement on your own in 6 months can be hacked by a semi-skilled attacker in 1-2 hours. – Robert Aug 27 '17 at 18:12

0 Answers0