SSL pinning

Author: Matthieu Gicquel

README.md

@@ -0,0 +1,94 @@
+<h1 align="center">react-native-app-security 🔐</h1>
+
+<p align="center">Easily implement usual security measures in React Native Expo apps</p>
+
+- [SSL public key pinning](#ssl-pinning)
+- [🚧 Certificate transparency](#certificate-transparency)
+- [🚧 "Recent screenshots" prevention](#recent-screenshots-prevention)
+
+> **⚠️ Disclaimer**<br/>
+> This package is intended to help implement a few basic security features but does not in itself guarantee that an app is secure.<br/>
+> Refer to [OWASP's resources](https://mas.owasp.org) for more information on mobile app security.<br/>
+> You can also [contact us](#👉-about-bam) if you need help with securing your app.
+
+# Installation and setup
+
+This packages is designed for use in expo apps with [development builds](https://docs.expo.dev/develop/development-builds/introduction/).
+
+```sh
+yarn add @bam.tech/react-native-app-security
+```
+
+Add the config plugin to `app.config.ts` / `app.config.js` / `app.json`:
+
+```json
+{
+  "plugins": [
+    [
+      "@bam.tech/react-native-app-security",
+      {
+        "sslPinning": {
+          "yahoo.com": [
+            "TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
+            "rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="
+          ]
+        }
+      }
+    ]
+  ]
+}
+```
+
+Anytime you change the config, don't forget to run:
+
+```sh
+yarn expo prebuild
+```
+
+# Features
+
+## SSL Pinning
+
+> **🥷 What's the threat?** Attackers intercepting your app's network requests and accessing private data or sending malicious responses. [More details](https://mas.owasp.org/MASTG/General/0x04f-Testing-Network-Communication/#restricting-trust-identity-pinning)
+
+This package implements [public key pinning](https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html#public-key) using [TrustKit](https://github.com/datatheorem/TrustKit) on iOS and the certificate pinner included in OkHttp on Android.
+
+### Configuration
+
+```jsonc
+[
+  "@bam.tech/react-native-app-security",
+  {
+    "sslPinning": {
+      // The hostname you want to pin, without `https://`
+      "yahoo.com": [
+        // The public key hashes for the pinned certificates, without a `sha256/` prefix
+        "TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
+        "rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="
+      ]
+    }
+  }
+]
+```
+
+### Generating the public key hashes
+
+TODO
+
+## Certificate transparency
+
+TODO
+
+## "Recent screenshots" prevention
+
+TODO
+
+# Contributing
+
+TODO
+
+# 👉 About BAM
+
+We are a 100 people company developing and designing multi-platform applications with [React Native](https://www.bam.tech/expertise/react-native) using the Lean & Agile methodology. To get more information on the solutions that would suit your needs, feel free to get in touch by [email](mailto:contact@bam.tech) or through our [contact form](https://www.bam.tech/en/contact)!
+
+We will always answer you with pleasure 😁

android/build.gradle

@@ -68,6 +68,9 @@ android {
     targetSdkVersion safeExtGet("targetSdkVersion", 33)
     versionCode 1
     versionName "0.1.0"
+
+    // package-specific config fields
+    buildConfigField("String", "RNAS_PINNING_CONFIG", "\"${safeExtGet("RNAS_PINNING_CONFIG", "{}")}\"")
   }
   lintOptions {
     abortOnError false
@@ -86,4 +89,8 @@ repositories {
 dependencies {
   implementation project(':expo-modules-core')
   implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:${getKotlinVersion()}"
+
+  // package-specific dependencies
+  implementation("com.squareup.okhttp3:okhttp:+")
+  implementation("com.facebook.react:react-native:+")
 }

android/src/main/java/tech/bam/rnas/AndroidListenerPackage.kt

@@ -0,0 +1,11 @@
+package tech.bam.rnas
+
+import android.content.Context
+import expo.modules.core.interfaces.Package
+import expo.modules.core.interfaces.ReactActivityLifecycleListener
+
+class AndroidListenerPackage : Package {
+  override fun createReactActivityLifecycleListeners(activityContext: Context): List<ReactActivityLifecycleListener> {
+    return listOf(AndroidReactActivityLifecycleListener())
+  }
+}

android/src/main/java/tech/bam/rnas/AndroidReactActivityLifecycleListener.kt

@@ -0,0 +1,14 @@
+package tech.bam.rnas
+
+import android.app.Activity
+import android.os.Bundle
+import expo.modules.core.interfaces.ReactActivityLifecycleListener
+
+import com.facebook.react.modules.network.OkHttpClientProvider;
+
+class AndroidReactActivityLifecycleListener : ReactActivityLifecycleListener {
+  override fun onCreate(activity: Activity, savedInstanceState: Bundle?) {
+    super.onCreate(activity, savedInstanceState)
+    OkHttpClientProvider.setOkHttpClientFactory(SSLPinning())
+  }
+}

android/src/main/java/tech/bam/rnas/HttpClientOverride.kt

@@ -0,0 +1,52 @@
+package tech.bam.rnas
+
+import com.facebook.react.modules.network.OkHttpClientFactory;
+import com.facebook.react.modules.network.OkHttpClientProvider;
+
+import okhttp3.CertificatePinner;
+import okhttp3.OkHttpClient;
+
+import org.json.JSONObject
+
+public class SSLPinning : OkHttpClientFactory {
+  override fun createNewNetworkModuleClient(): OkHttpClient {
+    val config = parseConfig()
+
+    val certificatePinnerBuilder = CertificatePinner.Builder()
+
+    for((hostName, certificates) in config) {
+      for (certificate in certificates) {
+        //Certificates must start with 'sha256/' for android
+        certificatePinnerBuilder.add(hostName, "sha256/$certificate")
+      }
+    }
+
+    val certificatePinner = certificatePinnerBuilder.build()
+
+    val clientBuilder = OkHttpClientProvider.createClientBuilder()
+
+    return clientBuilder
+      .certificatePinner(certificatePinner)
+      .build()
+  }
+
+}
+
+
+fun parseConfig() : Map<String, List<String>> {
+  val jsonString: String = BuildConfig.RNAS_PINNING_CONFIG
+
+  val jsonObject = JSONObject(jsonString)
+  val resultMap = mutableMapOf<String, List<String>>()
+
+  jsonObject.keys().forEach { key ->
+      val jsonArray = jsonObject.getJSONArray(key)
+      val valuesList = mutableListOf<String>()
+      for (i in 0 until jsonArray.length()) {
+          valuesList.add(jsonArray.getString(i))
+      }
+      resultMap[key] = valuesList
+  }
+
+  return resultMap // Map<String, List<String>>
+}

app.plugin.js

@@ -0,0 +1 @@
+module.exports = require("./plugin/build");

example/App.tsx

@@ -1,9 +1,10 @@
-import { StyleSheet, Text, View } from "react-native";
+import { Button, StyleSheet, View } from "react-native";
 
 export default function App() {
   return (
     <View style={styles.container}>
-      <Text>{"hello"}</Text>
+      <Button title="fetch - valid certificates" onPress={fetchValid} />
+      <Button title="fetch - invalid certificates" onPress={fetchInvalid} />
     </View>
   );
 }
@@ -14,5 +15,28 @@ const styles = StyleSheet.create({
     backgroundColor: "#fff",
     alignItems: "center",
     justifyContent: "center",
+    gap: 16,
   },
 });
+
+const fetchValid = async () => {
+  try {
+    const response = await fetch("https://google.com");
+    console.warn("✅ valid certificate and fetch succeeded", {
+      status: response.status,
+    });
+  } catch (error) {
+    console.warn("❌ valid certificate but fetch failed", error);
+  }
+};
+
+const fetchInvalid = async () => {
+  try {
+    const response = await fetch("https://yahoo.com");
+    console.warn("❌ invalid certificated but fetch succeeded", {
+      status: response.status,
+    });
+  } catch (error) {
+    console.warn("✅ invalid certificate and fetch failed", error);
+  }
+};

example/android/gradle.properties

@@ -54,3 +54,5 @@ expo.webp.animated=false
 
 # Enable network inspector
 EX_DEV_CLIENT_NETWORK_INSPECTOR=true
+
+RNAS_PINNING_CONFIG={\\"yahoo.com\\":[\\"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=\\",\\"rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE=\\"],\\"google.com\\":[\\"We74o5ME3USRtL6+B2UhXnwY9FR91QPJMYDtUNk6tEc=\\",\\"zCTnfLwLKbS9S2sbp+uFz4KZOocFvXxkV06Ce9O5M2w=\\"]}

example/app.json

@@ -27,6 +27,23 @@
     },
     "web": {
       "favicon": "./assets/favicon.png"
-    }
+    },
+    "plugins": [
+      [
+        "../app.plugin.js",
+        {
+          "sslPinning": {
+            "yahoo.com": [
+              "TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
+              "rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="
+            ],
+            "google.com": [
+              "We74o5ME3USRtL6+B2UhXnwY9FR91QPJMYDtUNk6tEc=",
+              "zCTnfLwLKbS9S2sbp+uFz4KZOocFvXxkV06Ce9O5M2w="
+            ]
+          }
+        }
+      ]
+    ]
   }
 }

example/ios/Podfile.lock

@@ -19,6 +19,10 @@ PODS:
     - React-NativeModulesApple
     - React-RCTAppDelegate
     - ReactCommon/turbomodule/core
+  - EXSplashScreen (0.20.5):
+    - ExpoModulesCore
+    - RCT-Folly (= 2021.07.22.00)
+    - React-Core
   - FBLazyVector (0.72.6)
   - FBReactNativeSpec (0.72.6):
     - RCT-Folly (= 2021.07.22.00)
@@ -445,7 +449,9 @@ PODS:
     - React-perflogger (= 0.72.6)
   - RNAS (0.1.0):
     - ExpoModulesCore
+    - TrustKit (~> 3.0.3)
   - SocketRocket (0.6.1)
+  - TrustKit (3.0.3)
   - Yoga (1.14.0)
 
 DEPENDENCIES:
@@ -458,6 +464,7 @@ DEPENDENCIES:
   - Expo (from `../node_modules/expo`)
   - ExpoKeepAwake (from `../node_modules/expo-keep-awake/ios`)
   - ExpoModulesCore (from `../node_modules/expo-modules-core`)
+  - EXSplashScreen (from `../node_modules/expo-splash-screen/ios`)
   - FBLazyVector (from `../node_modules/react-native/Libraries/FBLazyVector`)
   - FBReactNativeSpec (from `../node_modules/react-native/React/FBReactNativeSpec`)
   - glog (from `../node_modules/react-native/third-party-podspecs/glog.podspec`)
@@ -504,6 +511,7 @@ SPEC REPOS:
     - fmt
     - libevent
     - SocketRocket
+    - TrustKit
 
 EXTERNAL SOURCES:
   boost:
@@ -524,6 +532,8 @@ EXTERNAL SOURCES:
     :path: "../node_modules/expo-keep-awake/ios"
   ExpoModulesCore:
     :path: "../node_modules/expo-modules-core"
+  EXSplashScreen:
+    :path: "../node_modules/expo-splash-screen/ios"
   FBLazyVector:
     :path: "../node_modules/react-native/Libraries/FBLazyVector"
   FBReactNativeSpec:
@@ -612,6 +622,7 @@ SPEC CHECKSUMS:
   Expo: 61a8e1aa94311557c137c0a4dfd4fe78281cfbb4
   ExpoKeepAwake: be4cbd52d9b177cde0fd66daa1913afa3161fc1d
   ExpoModulesCore: c480fd4e3c7c8e81f0a6ba3a7c56869f25fe016d
+  EXSplashScreen: c0e7f2d4a640f3b875808ed0b88575538daf6d82
   FBLazyVector: 748c0ef74f2bf4b36cfcccf37916806940a64c32
   FBReactNativeSpec: 966f29e4e697de53a3b366355e8f57375c856ad9
   fmt: ff9d55029c625d3757ed641535fd4a75fedc7ce9
@@ -650,8 +661,9 @@ SPEC CHECKSUMS:
   React-runtimescheduler: f23e337008403341177fc52ee4ca94e442c17ede
   React-utils: fa59c9a3375fb6f4aeb66714fd3f7f76b43a9f16
   ReactCommon: dd03c17275c200496f346af93a7b94c53f3093a4
-  RNAS: bfca86744b14635017be943825c262741649afe4
+  RNAS: bf17eaa3a56a38ecf2834a34444b253add707439
   SocketRocket: f32cd54efbe0f095c4d7594881e52619cfe80b17
+  TrustKit: 7858ea59d0e226b1457b2e9cc8b95d77ab21d471
   Yoga: b76f1acfda8212aa16b7e26bcce3983230c82603
 
 PODFILE CHECKSUM: 6daa8bab0f91b52da2001d6b9f17878279fbf1a9