不安全的 X.509 TrustManager
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
OWASP 类别:MASVS-CODE:代码质量
概览
X509TrustManager
类负责验证远程服务器的真实性。具体方法是验证服务器的证书。
Android 应用中的不安全 X509TrustManager
实现是指实现无法正确验证与应用通信的服务器的真实性。这会使得攻击者能够冒充合法服务器,诱使应用向攻击者发送敏感数据。
由于使用 X509TrustManager
类时,Java 和 Android 会允许完全替换服务器验证,因此存在漏洞。X509TrustManager
类有两个有利益关系的函数:checkServerTrusted()
和 getAcceptedIssuers()
。这些函数调用可以配置为信任所有 X.509 证书。自定义验证逻辑可能存在错误或不完整,并且允许意外连接。在所有这些情况下,该类的用途已被否定,而且基于 X509TrustManager
输出建立的网络连接也不安全。
影响
不安全的 X509TrustManager
实现可能会导致漏洞,攻击者可以利用这些漏洞对来自受害应用的网络流量实施 MitM(中间人)攻击。利用此不安全代码的影响是,如果触发此代码,用户的应用网络数据可能会因为遭受(远程或本地)网络攻击而泄露。具体影响取决于无意中被泄露的网络流量的内容(个人身份信息、私密信息、敏感会话值、服务凭据等)。
缓解措施
使用 NetworkSecurityConfig.xml 功能来确保正确处理所有生产、测试、调试和开发阶段连接,而不是使用或实现自定义 TLS/SSL 证书验证代码。如果测试和调试 build 需要使用自签名证书,请考虑使用 NetworkSecurityConfig,而不是实现自定义 X509TrustManager
。
资源
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2023-12-08。
[null,null,["最后更新时间 (UTC):2023-12-08。"],[],[],null,["# Unsafe X509TrustManager\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-CODE: Code Quality](https://mas.owasp.org/MASVS/10-MASVS-CODE)\n\nOverview\n--------\n\nThe `X509TrustManager` class is responsible for verifying the authenticity of a\nremote server. It does this by validating the server's certificate.\n\nAn insecure `X509TrustManager` implementation in an Android application is an\nimplementation that does not properly verify the authenticity of the server with\nwhich the application is communicating. This can allow an attacker to\nimpersonate a legitimate server and trick the application into sending sensitive\ndata to the attacker.\n\nThe vulnerability exists because using the [`X509TrustManager`](/reference/javax/net/ssl/X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate%5B%5D,%20java.lang.String)) class,\nJava/Android allows the complete overriding of server verification. The\n`X509TrustManager` class has two functions of interest:\n[`checkServerTrusted()`](/reference/javax/net/ssl/X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate%5B%5D,%20java.lang.String)) and [`getAcceptedIssuers()`](/reference/javax/net/ssl/X509TrustManager#getAcceptedIssuers()). These function\ncalls can be configured to trust all X.509 certificates. Finally, custom\nvalidation logic may be buggy or incomplete and permit unexpected connections.\nIn all these cases, the purpose of the class has been negated and the network\nconnection established based on the `X509TrustManager` output is not secure.\n\nImpact\n------\n\nUnsafe X509TrustManager implementations can lead to vulnerabilities which can be\nused to perform MitM (Man-in-the-Middle) attacks on network traffic from the\nvictim application. The impact of exploiting this insecure code is that a user's\napplication network data can be compromised by network attackers (remotely or\nlocally) if this code is triggered. The impact is dependent on the content of\nthe network traffic being inadvertently exposed (PII, private information,\nsensitive session values, service credentials, etc).\n\nMitigations\n-----------\n\nUse the [NetworkSecurityConfig.xml](/training/articles/security-config) functionality to ensure that all\nproduction, testing, debugging, and dev stage connections are properly handled\nrather than using or implementing custom TLS/SSL certificate validation code. If\nusing a self-signed certificate is needed for test and debug builds, consider\nusing NetworkSecurityConfig instead of implementing a custom `X509TrustManager`.\n\nResources\n---------\n\n- [Play Warning docs](https://support.google.com/faqs/answer/6346016)\n- [Documentation to assist configuring the Network security configuration xml file.](/training/articles/security-config)\n- [Developer documentation for the TrustManager class.](/reference/javax/net/ssl/TrustManager)\n- [This check looks for X.509TrustManager implementations whose checkServerTrusted or checkClientTrusted methods do nothing (thus trusting any certificate chain).](https://googlesamples.github.io/android-custom-lint-rules/checks/TrustAllX509TrustManager.md.html)\n- [This check looks for custom X.509TrustManager implementations.](https://googlesamples.github.io/android-custom-lint-rules/checks/CustomX509TrustManager.md.html)\n- \u003chttps://cs.android.com/android-studio/platform/tools/base/+/mirror-goog-studio-main:lint/libs/lint-checks/src/main/java/com/android/tools/lint/checks/X509TrustManagerDetector.java\u003e"]]