Ats-pinning
ATS consider pinning
ATS-consider-pinning
ATS-consider-pinning
The application’s App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface.
Likelihood: LOW
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 2
- 9
- 6
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- F
- o
- l
- l
- o
- w
- i
- n
- g
-
- o
- f
-
- a
-
- C
- e
- r
- t
- i
- f
- i
- c
- a
- t
- e
- ’
- s
-
- C
- h
- a
- i
- n
-
- o
- f
-
- T
- r
- u
- s
- t
Likelihood: LOW
Confidence: HIGH
CWE:
- C
- W
- E
- -
- 2
- 9
- 6
- :
-
- I
- m
- p
- r
- o
- p
- e
- r
-
- F
- o
- l
- l
- o
- w
- i
- n
- g
-
- o
- f
-
- a
-
- C
- e
- r
- t
- i
- f
- i
- c
- a
- t
- e
- ’
- s
-
- C
- h
- a
- i
- n
-
- o
- f
-
- T
- r
- u
- s
- t