Exploring mTLS in Mobile Applications
Exploring mTLS in Mobile Applications
Today, I will present a case study on mTLS that I conducted in a private bug bounty program.
mTLS (Mutual TLS) is a method of mutual authentication that ensures both parties in a network connection are who they claim to be. In an mTLS connection, the server verifies the client’s certificate, and the client verifies the server’s certificate. If a proxy like Burp Suite were used in this connection, the server would reject the connection.
What is mTLS?
Mutual TLS (mTLS) is a security protocol used in network communications to provide an enhanced level of security. In a standard TLS setup, only the server is authenticated, while the client remains unauthenticated. This means that while the client can trust the server, the reverse isn’t necessarily true.
In contrast, mTLS adds an extra layer of security by requiring both the client and the server to authenticate themselves to each other before establishing a secure connection. This is achieved through the use of digital certificates on both ends. When a client attempts to connect to a server using mTLS, the following steps typically occur:
- The client presents its certificate to the server.
- The server verifies the client’s certificate.
- The server presents its certificate to the client.
- The client verifies the server’s certificate.
How Does the Client Certificate Verification Flow Work?
In the case of this application, a request containing a Certificate Signing Request (CSR) certificate was sent to the server. The server’s response was a CA (Certificate Authority) certificate signed by the company.
Certificate Signing Request (CSR) in mTLS
A crucial component in the mTLS process is the Certificate Signing Request (CSR). Let’s break down what a CSR is and its role in mTLS:
- A CSR is one of the initial steps in obtaining an SSL/TLS certificate.
- It’s generated on the server where you plan to install the certificate.
- The CSR contains essential information such as the common name, organization, and country.
- It also includes the public key that will be part of your certificate.
- The CSR is signed with the corresponding private key.
PKCS #12: Bundling Cryptographic Objects
PKCS #12 is an archive file format used for storing multiple cryptography objects in a single file. It’s commonly used to:
- Bundle a private key with its X.509 certificate
- Bundle all members of a chain of trust
This format plays a crucial role in managing the various certificates and keys used in mTLS.
APP
CSR Request and CA Response
In the image above, we have a section of the application code responsible for creating the CSR certificate that will be sent to the server.
Hooking Process
Using Frida, I converted my keys (public and private) to the format expected by the generateCertificateSigningRequest(args).
We can then hook the generateCertificateSigningRequest(args) function and alter the public and private keys used in the CSR creation process. Now the application will send the CSR certificate containing the new keys and generate a CA that we can use to create a pkcs12 file and import it into Burp Suite.
PKCS#12 Import in Burp Suite
Conclusion
Mutual TLS provides a robust method of ensuring secure and authenticated communication between clients and servers. In the context of a bug bounty program, understanding and exploiting mTLS can be crucial for identifying potential security flaws and vulnerabilities.
For more detailed information on mTLS and related topics, you can refer to the following resources:
- Cloudflare: What is Mutual TLS?
- GlobalSign: What is a Certificate Signing Request (CSR)?
- Hostinger: What is SSL/TLS?
Happy securing!