{ "id": "145829", "key": "TIMOB-18709", "fields": { "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false }, "project": { "id": "10153", "key": "TIMOB", "name": "Titanium SDK/CLI", "projectCategory": { "id": "10100", "description": "Titanium and related SDKs used in application development", "name": "Client" } }, "fixVersions": [], "resolution": { "id": "8", "description": "", "name": "Needs more info" }, "resolutiondate": "2015-03-24T17:23:29.000+0000", "created": "2015-03-17T12:21:45.000+0000", "priority": { "name": "Critical", "id": "1" }, "labels": [], "versions": [], "issuelinks": [], "assignee": { "name": "vduggal", "key": "vduggal", "displayName": "Vishal Duggal", "active": false, "timeZone": "America/Los_Angeles" }, "updated": "2017-03-22T22:35:18.000+0000", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "components": [ { "id": "10206", "name": "iOS", "description": "iOS Platform" } ], "description": "It seems like the implementation of the authentication challenge on https://github.com/appcelerator/APSHTTPClient/blob/master/APSHTTPClient/APSHTTPRequest.m is not done properly.\r\n\r\nSpecifically in this part:\r\n{code}\r\nif (!handled) {\r\n if ([challenge.sender respondsToSelector:@selector(performDefaultHandlingForAuthenticationChallenge:)]) {\r\n [challenge.sender performDefaultHandlingForAuthenticationChallenge:challenge];\r\n } else {\r\n [challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];\r\n }\r\n }\r\n{code}\r\n\r\nWhenever an error occurs by the validation (for example when the server gives back a wrong certificate), Titanium fallbacks to the standard certificate checks bypassing the desired and given certificate pinning.\r\n\r\nThis bug has successfully reproduced by installing our own CA-certificate in a test device and thus bypassing the check with the certificate of the server and being able to perform a man in the middle attack.", "attachment": [], "flagged": false, "summary": "iOS: Incorrect fallback in Authentication Challenge", "creator": { "name": "giorgos", "key": "giorgos", "displayName": "Giorgos Papadopoulos", "active": true, "timeZone": "America/Los_Angeles" }, "subtasks": [], "reporter": { "name": "giorgos", "key": "giorgos", "displayName": "Giorgos Papadopoulos", "active": true, "timeZone": "America/Los_Angeles" }, "environment": "iOS", "closedSprints": [ { "id": 362, "state": "closed", "name": "2015 Sprint 06 SDK", "startDate": "2015-03-14T13:56:53.868Z", "endDate": "2015-03-28T00:00:00.000Z", "completeDate": "2015-03-30T17:32:33.590Z", "originBoardId": 114 } ], "comment": { "comments": [ { "id": "346264", "author": { "name": "vduggal", "key": "vduggal", "displayName": "Vishal Duggal", "active": false, "timeZone": "America/Los_Angeles" }, "body": "Is the appcelerator.https module being used? The https module is specifically designed to check server certificates during the ServerTrust handshake to prevent the Man In Middle attack.", "updateAuthor": { "name": "vduggal", "key": "vduggal", "displayName": "Vishal Duggal", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2015-03-17T20:41:04.000+0000", "updated": "2015-03-17T20:44:52.000+0000" }, { "id": "347144", "author": { "name": "vduggal", "key": "vduggal", "displayName": "Vishal Duggal", "active": false, "timeZone": "America/Los_Angeles" }, "body": "Regarding the code referenced above, `performDefaultHandlingForAuthenticationChallenge` is an optional method in the `NSURLAuthenticationChallengeSender` protocol. If the sender implements the protocol, we invoke that method else we invoke the required method `continueWithoutCredentialForAuthenticationChallenge` in the sender which attempts (but does not guarantee) to continue downloading without authentication. I believe this is implementation is correct.\r\n\r\nRegarding the test scenario presented here, by installing the certificate on the device the developer has explicitly asked the OS to trust that particular certificate. The system will not differentiate between self signed certificates and certificates from established CA authorities. It is upto the developer to perform checks to ensure that the certificate presented by the server is trust worthy.\r\n\r\nTo that end we have exposed the `securityManager` property on the Ti.Network.HTTPClient object. Appcelerator also provides the `appcelerator.https` module that implements server certificate pinning and can be used with the HTTPClient object. The developer is of course free to implement their own module and use it with the HTTPClient object.\r\n\r\nIt is unclear from the description of the bug what the setup is or if the module was even used. If the bug is filed against the HTTPClient object, then I believe that this is an invalid issue. If this is filed against the module and claims that the module is not behaving as expected, then we need sample code that demonstrates the issue. \r\n\r\nEither ways we have very little to move forward on. Resolving this as \"Needs More Info\"", "updateAuthor": { "name": "vduggal", "key": "vduggal", "displayName": "Vishal Duggal", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2015-03-24T17:23:18.000+0000", "updated": "2015-03-24T17:23:18.000+0000" }, { "id": "415142", "author": { "name": "lmorris", "key": "lmorris", "displayName": "Lee Morris", "active": false, "timeZone": "America/Los_Angeles" }, "body": "Closing ticket due to the information that was requested not being provided.", "updateAuthor": { "name": "lmorris", "key": "lmorris", "displayName": "Lee Morris", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2017-03-22T22:35:18.000+0000", "updated": "2017-03-22T22:35:18.000+0000" } ], "maxResults": 6, "total": 6, "startAt": 0 } } }