From 8526097bb201fe1554dee3478aa3745849b0db1c Mon Sep 17 00:00:00 2001 From: Dennis Titze Date: Mon, 24 Feb 2025 12:32:05 +0100 Subject: [PATCH] Add section for frameworks --- Document/0x05g-Testing-Network-Communication.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/Document/0x05g-Testing-Network-Communication.md b/Document/0x05g-Testing-Network-Communication.md index 6f3d3a12ec..8706759f90 100644 --- a/Document/0x05g-Testing-Network-Communication.md +++ b/Document/0x05g-Testing-Network-Communication.md @@ -166,7 +166,19 @@ If you need additional customization beyond what NSC offers, you could implement It's also possible to implement pinning in [native code](https://developer.android.com/ndk) (C/C++/Rust). By embedding or dynamically verifying certificates within compiled native libraries (`.so` files), you can increase the difficulty of bypassing or modifying the pinning checks via typical APK reverse engineering. -That said, this approach requires significant security expertise and a careful design to manage certificates or public key hashes in native space. Maintenance and debugging also become more complex, so it's generally reserved for high-security apps with specialized needs. +That said, this approach requires significant security expertise and a careful design to manage certificates or public key hashes in native space. Maintenance and debugging also typically become more complex. + +#### Pinning in Cross-Platform Frameworks + +Cross-platform frameworks like Flutter, React Native, Cordova and Xamarin might require special considerations. Depending on the framework one of the following can apply: + +- The framework might support NSC. This is the case for Flutter apps on Android, but the NSC needs to be enabled specifically for Flutter. See the [Flutter documentation](https://docs.flutter.dev/release/breaking-changes/network-policy-ios-android#migration-guide) on how to enable the network policy. + +- The framework might use other networking libraries under the hood, which need to be configured appropriately. E.g., React Native uses OkHttp on Android, which can be configured with a custom `CertificatePinner`. + +- The framework might offer plugins to perform certificate pinning. This is the case for example for Cordova. + +- The framework might not offer any built-in mechanisms to perform certificate pinning (as it the case for Xamarin). In this case, pinning needs to be implemented manually. ### Security Provider