About the Blackphone
The Blackphone is a device built with security in mind. That means embracing security, its community, and its principles. Fast patch times and a proactive approach to mitigating vulnerabilities appear to be part of their core values, and for those reasons we are very optimistic about what they are doing.
Cert Pinning, WhatsApp, and the Blackphone
I’d like to take a few moments to share my thoughts about whether what has been reported is, in fact, a vulnerability that users should be concerned about.
Bluebox cited a number of core apps on Blackphone for “leaking the username and passwords to any SSL server.” They found these apps were not performing what’s known as “certificate pinning” – validating that the certificate presented to your app is actually the correct certificate, rather than relying on the chain of certificate trust only. This is detailed in Bluebox’s assessment where they mention the process required to execute the attack:
“We observed this by setting up a MitM network attack on the device and installing our own SSL root certificate. This type of MitM attack can be mitigated by implementing SSL pinning into the apps.”
We have discussed this vulnerability multiple times in the past – including in widely popular apps WhatsApp and Gmail – and each time have highlighted the significant efforts required to exploit the vulnerability. In reality, if an attacker gains the access necessary to install a root certificate on your device, the potential for other attacks becomes a possibility. Exploitation requires a serious compromise, and therefore the lack of pinning alone is not a high-risk vulnerability.
While certificate pinning is certainly a best practice for secure development, it is far less of a security flaw than SSL issues which require no root certificate. Additionally, while other vulnerabilities exist in CA’s, including the creation (intentionally or unintentionally) of phony or spoofed certificates, attacks overall against CA’s are rare.
Another option for Blackphone to mitigate risk in this scenario is by reducing the overall number of trusted CAs on the device. Such a practice would reduce the chance of a rogue or compromised root CA.
One critical vulnerability that should be getting much more attention is the SSL vulnerabilities recently disclosed by CERT.
The SSL vulnerability effects hundreds of Android applications and requires nothing more than a Man-in-the-Middle attack to execute. Physical access and/or escalated privileges are not required.