insecure pinning #29
Description
The chain you get is the chain given by the peer = web server.
It can contain any number of certificates that have nothing to do with the trust chain created internally by checkSystemTrust().
CertificateChainCleaner.java tries to fix that but it does not validate any signatures.
So adding invalid certificates can create a second trust chain to circumvent the pinning.
checkPinTrust() returns true if the parameter contains any certificate that matches the pin.
By attaching any trusted, correctly pinned certificate to the TLS-response the entire pinning can be circumvented.
See
https://www.cigital.com/blog/ineffective-certificate-pinning-implementations/
for a more detailed explanation of your security flaw.