Skip to content

Latest commit

 

History

History
168 lines (125 loc) · 8.8 KB

mitigations.md

File metadata and controls

168 lines (125 loc) · 8.8 KB

Mitigation Strategies Analysis for square/okhttp

Mitigation Strategy: Enforce Strict Certificate and Hostname Verification

  • Mitigation Strategy: Enforce Strict Certificate and Hostname Verification

    • Description:

      1. No Custom HostnameVerifier: Ensure that no custom HostnameVerifier is implemented that overrides the default behavior and always returns true. The default HostnameVerifier in OkHttp correctly validates the hostname against the certificate.
      2. No TrustAllCerts: Absolutely ensure that no custom TrustManager is used that trusts all certificates (e.g., a TrustManager with an empty checkServerTrusted method). This is a critical security flaw.
      3. Certificate Pinning (Implementation):
        • Identify the target server's certificate chain.
        • Extract the public key hashes (SPKI – Subject Public Key Information) from the server's certificate, or preferably, from an intermediate CA certificate in the chain.
        • Use OkHttp's CertificatePinner.Builder to create a CertificatePinner instance.
        • Add the extracted public key hashes to the CertificatePinner using the add() method, specifying the hostname and the hash in the format pinSha256/<base64-encoded-hash>.
        • Build the CertificatePinner and set it on the OkHttpClient.Builder using the certificatePinner() method.
        • Implement a robust pin rotation strategy, including backup pins and monitoring of expiration dates.

    • Threats Mitigated:

      • Man-in-the-Middle (MitM) Attacks: (Severity: Critical)
      • Certificate Authority (CA) Compromise: (Severity: High)

    • Impact:

      • MitM Attacks: Risk reduced from Critical to Low (with pinning) or Moderate (without pinning, but with proper hostname and certificate validation).
      • CA Compromise: Risk reduced from High to Low (with pinning).

    • Currently Implemented:

      • Basic hostname and certificate validation are implemented by default in NetworkModule.kt.
      • Certificate pinning is partially implemented in SecurityConfig.kt, but only for the primary API endpoint (api.example.com).

    • Missing Implementation:

      • Certificate pinning is missing for other API endpoints.
      • Backup pins and automated pin rotation are not implemented.

Mitigation Strategy: Enforce HTTP/2 and Monitor for Downgrades (OkHttp Configuration)

  • Mitigation Strategy: Enforce HTTP/2 and Monitor for Downgrades (OkHttp Configuration)

    • Description:

      1. Prefer HTTP/2: Explicitly configure OkHttp to prefer HTTP/2 using OkHttpClient.Builder.protocols(listOf(Protocol.HTTP_2, Protocol.HTTP_1_1)). This prioritizes HTTP/2 over HTTP/1.1.
      2. Protocol Logging Interceptor: Implement an Interceptor to log the protocol used for each connection: 
        class ProtocolLoggingInterceptor : Interceptor {
    override fun intercept(chain: Interceptor.Chain): Response {
        val request = chain.request()
        val response = chain.proceed(request)
        Log.d("OkHttp", "Protocol: ${response.protocol()}")
        return response
    }
}
        Add this interceptor to your OkHttpClient.

    • Threats Mitigated:

      • HTTP/2 Downgrade Attacks: (Severity: Moderate)

    • Impact:

      • HTTP/2 Downgrade Attacks: Risk reduced from Moderate to Low (with monitoring).

    • Currently Implemented:

      • OkHttp is configured to use both HTTP/2 and HTTP/1.1.

    • Missing Implementation:

      • Explicit prioritization of HTTP/2 is not set.
      • Protocol-specific logging is not implemented.

Mitigation Strategy: Manage Connection Pooling and Response Handling

  • Mitigation Strategy: Manage Connection Pooling and Response Handling

    • Description:

      1. Rely on OkHttp's Pool: Do not manually manage connections. Use OkHttp's built-in connection pool.
      2. Close Responses: Always close the Response body after processing the response, using response.body()?.close() or a try-with-resources block.
      3. Configure Timeouts: Set connectTimeout, readTimeout, and writeTimeout on the OkHttpClient using OkHttpClient.Builder.
      4. Connection Pool Settings (Optional): Adjust ConnectionPool settings (maxIdleConnections, keepAliveDuration) if necessary, using OkHttpClient.Builder.connectionPool().

    • Threats Mitigated:

      • Connection Reuse Issues: (Severity: Low to Moderate)
      • Resource Exhaustion (DoS): (Severity: Moderate)

    • Impact:

      • Connection Reuse Issues: Risk reduced to Very Low.
      • Resource Exhaustion (DoS): Risk reduced to Low.

    • Currently Implemented:

      • OkHttp's default connection pool is used.
      • readTimeout and connectTimeout are set.
      • Some response handling uses try-with-resources.

    • Missing Implementation:

      • writeTimeout is not set.
      • Consistent use of try-with-resources (or explicit close()) is missing.
      • Connection pool settings are not explicitly configured.

Mitigation Strategy: Secure Header Management with Interceptors

  • Mitigation Strategy: Secure Header Management with Interceptors

    • Description:

      1. Interceptors for Headers: Use OkHttp Interceptors to add, remove, or modify all sensitive headers (e.g., API keys, authorization tokens). Centralize header management. 
        class AuthInterceptor(private val apiKey: String) : Interceptor {
    override fun intercept(chain: Interceptor.Chain): Response {
        val originalRequest = chain.request()
        val newRequest = originalRequest.newBuilder()
            .header("Authorization", "Bearer $apiKey")
            .build()
        return chain.proceed(newRequest)
    }
}
      2. CookieJar: Use OkHttp's CookieJar to manage cookies. Implement a custom CookieJar if you need fine-grained control.

    • Threats Mitigated:

      • Unintentional Data Leaks (Headers/Cookies): (Severity: Moderate to High)

    • Impact:

      • Unintentional Data Leaks: Risk reduced to Low.

    • Currently Implemented:

      • An AuthInterceptor is used for an API key.
      • A default CookieJar is used.

    • Missing Implementation:

      • No custom CookieJar for specific cookie policies.

Mitigation Strategy: Prevent Denial of Service (DoS) via OkHttp Configuration

  • Mitigation Strategy: Prevent Denial of Service (DoS) via OkHttp Configuration

    • Description:

      1. Timeouts: Set connectTimeout, readTimeout, and writeTimeout on the OkHttpClient.
      2. Dispatcher Configuration: Use OkHttpClient.Builder.dispatcher() to configure the Dispatcher:
        • maxRequests: Limit total concurrent requests.
        • maxRequestsPerHost: Limit concurrent requests per host.

    • Threats Mitigated:

      • Denial of Service (DoS) via Resource Exhaustion: (Severity: Moderate to High)

    • Impact:

      • DoS: Risk reduced (combined with server-side mitigations).

    • Currently Implemented:

      • connectTimeout and readTimeout are set.

    • Missing Implementation:

      • writeTimeout is not set.
      • Dispatcher configuration is not explicitly set.

Mitigation Strategy: Keep OkHttp Updated

  • Mitigation Strategy: Keep OkHttp Updated

    • Description:

      1. Dependency Management: Use a dependency management tool (Gradle, Maven).
      2. Regular Updates: Regularly update OkHttp to the latest stable version.

    • Threats Mitigated:

      • Known Vulnerabilities in OkHttp: (Severity: Varies)

    • Impact:

      • Known Vulnerabilities: Risk reduced.

    • Currently Implemented:

      • OkHttp dependency is managed.

    • Missing Implementation:

      • No automated update process.