Crittercism Weak SSL Cipher Suites are Supported and Lack of Certificate Pinning

Question

Our security team has performed a security scan on our mobile application and found the following vulnerabilities:

Vulnerability Name: Weak SSL Cipher Suites are Supported
Vulnerability Type: attWeakCipherSuites
Calling Method: com.crittercism.internal.ca.a(com.crittercism.internal.bz):com.crittercism.internal.cb
Method Signature: javax.net.ssl.SSLParameters.setCipherSuites(java.lang.String[]):void
Location: (Unknown)
Issue Validation Parameter - Name: cipherSuites
Issue Validation Parameter - Value: [TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

---

Vulnerability Name: Lack of Certificate Pinning
Vulnerability Type: attSSLCertificatePinning
Calling Method: com.crittercism.internal.ca.a(com.crittercism.internal.bz):com.crittercism.internal.cb
Method Signature: java.net.URL.openConnection():java.net.URLConnection
Location: (Unknown)
Issue Validation Parameter - Name: this
Issue Validation Parameter - Value: https://5-8-10-android.appload.ingest.crittercism.com/v0/config

Can someone help me resolve the issues above?

Platform: Android
Framework: React-native

Answer 1

Your Questions

First question

Vulnerability Name: Weak SSL Cipher Suites are Supported Vulnerability Type: attWeakCipherSuites

You need to pass only the latest recommended ciphers suites and you can read what ones are in the Mozilla site.

Currently the most secure ones are the ones recommended for Modern Compatibility

TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Second question

Vulnerability Name: Lack of Certificate Pinning Vulnerability Type: attSSLCertificatePinning

Once you are using React Native you may want to try the react-native-cert-pinner package:

This package manages TLS certificate pinning in react-native for Android and iOS.

You should read the README of the package for the detailed instructions, but as a quick start, this may work:

npm install react-native-cert-pinner --save

followed by an automated installation:

react-native link react-native-cert-pinner

Otherwise you should try, from the README, the manual installation for Android.

Going the Extra Mile

If you want to understand why you should be using Certificate Pinning, you can read this blog post on these 2 sections:

What is Certificate Pinning?

It will briefly explain what it is and how it works in an high level, and what to pin.

Certificate pinning is the mechanism of associating a domain name with an expected SSL/TLS certificate, technically and more accurately known as an X.509 certificate.

Why do we need Certificate Pinning?

Here it explains why is needed to be used in order to prevent trust based assumptions and to protect against use in hostile environments.

While https gives you confidentiality, integrity and authenticity in the communication channel between the mobile app and the API server, certificate pinning will protect this same guarantees from being broken.