Extend MSTG‑NETWORK‑3 with Certificate transparency for iOS and Android

[commjoen]

Extend MSTG‑NETWORK‑3 with Certificate transparency for iOS and Android

[commjoen]

See :
https://www.agnosticdev.com/blog-entry/network-security/mobile-landscape-certificate-transparency
https://github.com/technion/ct_advisor
https://github.com/google/conscrypt
https://github.com/google/certificate-transparency-java
https://www.agnosticdev.com/blog-entry/network-security/mobile-landscape-certificate-transparency
https://github.com/Babylonpartners/certificate-transparency-android
Note: ios 12.1.1 requires it already.
https://chromium.googlesource.com/chromium/src/+/master/net/docs/certificate-transparency.md#certificate-transparency-for-enterprises for more info
NOTE: using CTA will require your domain (including internal domains) to be publicly registered which was made fun off by Jeroen Willemsen in https://xebia.com/blog/certshout-all-your-domains-are-public/, but oftne forgotten. So if you have a domain that you don't want to have that publicly available, you can pin, otherwise: consider CTA, but be aware that you need a CA that makes sure no weird shit happens with your cert.

[commjoen]

Last note: when you do pinning on the CA its public key and the CA is compromised, then CT can help detecting that. However, if you do public key pinning on your leaf cert, then CT will not really help for a native app.

[sushi2k]

Good summary of options for Android: https://medium.com/babylon-engineering/android-security-certificate-transparency-601c18157c44