SlideShare a Scribd company logo

Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection

Anant Shrivastava
Anant Shrivastava

This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..

Technology
1 of 21
Download to read offline
OWASP Mobile Top 10 Risk M3 : Insufficient Transport Layer Protection Anant Shrivastava
About Me • Anant Shrivastava (@anantshri) • http://www.anantshri.info • Independent Information Security Consultant • Focus Area’s : Web, Mobile, Linux • Current Project: o CodeVigilant (codevigilant.com) • An initiative to find flaws in open source software and perform a responsible disclosure. Website currently holds 160+ disclosed vulnerability in various wordpress plugins. o Android Tamer (androidtamer.com) • Live ISO environment for Android Security Researchers. Used by multiple researchers as well as Trainers across the globe.
Agenda • Understand Transport Layer • Understand Transport Protections • Understand Complexities/Insecurities in transport layer protection. • How to Find Insecure or inadequate protections • How to Prevent it
Transport Layer • OSI Model Layer 4 (from bottom or top) • A transport layer provides end-to-end or host-to-host communication services for applications within a layered architecture of network components and protocols. • Protocols in Use : TCP and UDP • The transport layer is responsible for delivering data to the appropriate application process on the host computers • Unique Identifier : IP:Port (URI) • In short backbone of internet communication
TCP Headers
UDP Headers
Transport Layer Protections • Commonly known as Transport Layer Security (TLS) or formerly Secure Socket Layer (SSL) • Latest version in use TLSv1.2 • Commonly found: SSLv2, SSLv3/TLSv1.0,TLSv1.1 • Uses X509 Certificate based asymetric encryption. • What we generally know as HTTPS • TLS v1.3 in draft since July 2014. • first defined in 1999 and last updated in RFC 5246 (August 2008) and RFC 6176 (March 2011).
TLS Certificates • Issued by a CA (Certification Authority) • Follows a chain of trust to establish the identity of a website. • For internal purposes people use self-signed certificate which doesn’t following trusted chain. • Example of trusted chain @ google.com
Various Algorithms in use
Mobile Prospective Data in transit over TCP / UDP
Insecure implementations • Using Known Weak Ciphers / version (SSLv2, RC4, MD5, CBC in SSL3) • Communication using Self-signed certificate (ignoring warning) • Securing only specific portion of communication • Not validating the chain of trust • Mixxing TLS and non TLS content on Page
SSL Version 2 • SSL version 2 was designed in 1994 by Netscape. Its 20 years old this year. • Known attacks o Identical cryptographic keys are used for message authentication and encryption. o SSL 2.0 has a weak MAC construction that uses the MD5 hash function with a secret prefix, making it vulnerable to length extension attacks. o SSL 2.0 does not have any protection for the handshake, meaning a man-in-the- middle downgrade attack can go undetected. o SSL 2.0 uses the TCP connection close to indicate the end of data. This means that truncation attacks are possible: the attacker simply forges a TCP FIN, leaving the recipient unaware of an illegitimate end of data message (SSL 3.0 fixes this problem by having an explicit closure alert). o SSL 2.0 assumes a single service and a fixed domain certificate, which clashes with the standard feature of virtual hosting in Web servers. This means that most websites are practically impaired from using SSL • Blocked in most modern browsers (IE 6 users anyone?)
Other versions • SSLv3 (was working good till 2012) • SSL 3.0 cipher suites have a weaker key derivation process; half of the master key that is established is fully dependent on the MD5 hash function • More attacks o Renegotiation attack o BEAST attack o CRIME and BREACH attacks o Padding attacks (Lucky 13) o RC4 Attacks o Implementation bugs like (Apple SSL, Heartbleed, GNUTLS Fail)
Chain of trust • Establish chain of trust • Ensure the connection has exact same chain of trust as official certificate. • Any certificate in the chain is self-signed, unless it the root. • Not every intermediate certificate is checked, starting from the original certificate all the way up to the root certificate. • An intermediate, CA-signed certificate does not have the expected Basic Constraints or other important extensions. • The root certificate has been compromised or authorized to the wrong party. • Ref : http://cwe.mitre.org/data/definitions/296.html
Mixing content • HTTP and HTTPS content • HTTP can be cached and read over the wire. • Analytics and tracking generally use http for quick transaction and hence susceptible.
Detecting SSL issues • Launch emulator / start device. • Add proxy settings for burp/zap/ironwasp etc • Run application and check if traffic interception works and application performs its actions. (Implementation is flawed) • Identify end points • End point Implementation flaws : use SSLScan (either original or rbsec/sslscan at github)
Preventions
Preventions • Assume connection is compromised • Disable weak ciphers and versions • Perform entire sensitive communication over TLS • Never allow connection using Self-signed certificate. • Use secure versions of tracking/analytics/ad network SDK • Add a second layer of encryption for sensitive data. • Follow Rules: https://www.owasp.org/index.php/ Transport_Layer_Protection_Cheat_Sheet • Perform certificate validation via Certificate pinning : refer http://www.thoughtcrime.org/blog/authenticity-is-broken- in-ssl-but-your-app-ha/
Preventions • iOS: For CFNetwork, use Secure Transport API to designate trusted client certificates • iOS: all NSURL calls (or wrappers of NSURL) do not allow self signed or invalid certificates such as the NSURL class method setAllowsAnyHTTPSCertificate. • iOS Cert Pinning : export your certificate, include it in your app bundle, and anchor it to your trust object. Using the NSURL method connection:willSendRequestForAuthenticationChallenge: will now accept your cert. • Android: ensure org.apache.http.conn.ssl.AllowAllHostnameVerifier or SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER are not present
References • https://en.wikipedia.org/wiki/Transport_layer • https://www.owasp.org/index.php/Mobile_Top_10_2014- M3 • http://www2.dcsec.uni-hannover.de/files/android/p50- fahl.pdf • TCP UDP Headers : http://nmap.org/book/tcpip-ref.html • https://commons.wikimedia.org/wiki/ File:Mobile_and_desktop_device_templates.svg • https://openclipart.org/collection/collection-detail/ silpstream/8546 • http://www.troyhunt.com/2013/06/understanding-risk-of-mixed- content.html
Question Time

Recommended

Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 

Recommended

Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerCiNPA Security SIG
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singaporen|u - The Open Security Community
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017Siddharth Phatarphod
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Web Security
Web SecurityWeb Security
Web SecurityDr.Florence Dayana
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 

More Related Content

What's hot

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 

What's hot (20)

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 

Similar to Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection

ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarDr. Shivashankar
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )Monodip Singha Roy
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdfDr. Shivashankar
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam NotesVijayanand Yadla
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
 

Similar to Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection (20)

Web Security
Web SecurityWeb Security
Web Security
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr Shivashankar
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdf
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Unit08
Unit08Unit08
Unit08
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversals
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 

More from Anant Shrivastava

Diverseccon keynote: My 2 Paisa's on Infosec World
Diverseccon keynote: My 2 Paisa's on Infosec WorldDiverseccon keynote: My 2 Paisa's on Infosec World
Diverseccon keynote: My 2 Paisa's on Infosec WorldAnant Shrivastava
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Android Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAndroid Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAnant Shrivastava
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAnant Shrivastava
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basicsAnant Shrivastava
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemAnant Shrivastava
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for PentestersAnant Shrivastava
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014Anant Shrivastava
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Raspberry pi Beginners Session
Raspberry pi Beginners SessionRaspberry pi Beginners Session
Raspberry pi Beginners SessionAnant Shrivastava
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
WhitePaper : Security issues in android custom rom
WhitePaper : Security issues in android custom romWhitePaper : Security issues in android custom rom
WhitePaper : Security issues in android custom romAnant Shrivastava
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROMAnant Shrivastava
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaperAnant Shrivastava
 
Battle Underground NullCon 2011 Walkthrough
Battle Underground NullCon 2011 WalkthroughBattle Underground NullCon 2011 Walkthrough
Battle Underground NullCon 2011 WalkthroughAnant Shrivastava
 
Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughAnant Shrivastava
 

More from Anant Shrivastava (20)

Diverseccon keynote: My 2 Paisa's on Infosec World
Diverseccon keynote: My 2 Paisa's on Infosec WorldDiverseccon keynote: My 2 Paisa's on Infosec World
Diverseccon keynote: My 2 Paisa's on Infosec World
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Android Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal PresentationAndroid Tamer BH USA 2016 : Arsenal Presentation
Android Tamer BH USA 2016 : Arsenal Presentation
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) Professionals
 
Slides null puliya linux basics
Slides null puliya linux basicsSlides null puliya linux basics
Slides null puliya linux basics
 
Exploiting publically exposed Version Control System
Exploiting publically exposed Version Control SystemExploiting publically exposed Version Control System
Exploiting publically exposed Version Control System
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Raspberry pi Beginners Session
Raspberry pi Beginners SessionRaspberry pi Beginners Session
Raspberry pi Beginners Session
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
WhitePaper : Security issues in android custom rom
WhitePaper : Security issues in android custom romWhitePaper : Security issues in android custom rom
WhitePaper : Security issues in android custom rom
 
Security Issues in Android Custom ROM
Security Issues in Android Custom ROMSecurity Issues in Android Custom ROM
Security Issues in Android Custom ROM
 
Web application finger printing - whitepaper
Web application finger printing - whitepaperWeb application finger printing - whitepaper
Web application finger printing - whitepaper
 
Battle Underground NullCon 2011 Walkthrough
Battle Underground NullCon 2011 WalkthroughBattle Underground NullCon 2011 Walkthrough
Battle Underground NullCon 2011 Walkthrough
 
Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk through
 
Web2.0 : an introduction
Web2.0 : an introductionWeb2.0 : an introduction
Web2.0 : an introduction
 
Avr introduction
Avr introductionAvr introduction
Avr introduction
 

Recently uploaded

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Recently uploaded (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection

  • 1. OWASP Mobile Top 10 Risk M3 : Insufficient Transport Layer Protection Anant Shrivastava
  • 2. About Me • Anant Shrivastava (@anantshri) • http://www.anantshri.info • Independent Information Security Consultant • Focus Area’s : Web, Mobile, Linux • Current Project: o CodeVigilant (codevigilant.com) • An initiative to find flaws in open source software and perform a responsible disclosure. Website currently holds 160+ disclosed vulnerability in various wordpress plugins. o Android Tamer (androidtamer.com) • Live ISO environment for Android Security Researchers. Used by multiple researchers as well as Trainers across the globe.
  • 3. Agenda • Understand Transport Layer • Understand Transport Protections • Understand Complexities/Insecurities in transport layer protection. • How to Find Insecure or inadequate protections • How to Prevent it
  • 4. Transport Layer • OSI Model Layer 4 (from bottom or top) • A transport layer provides end-to-end or host-to-host communication services for applications within a layered architecture of network components and protocols. • Protocols in Use : TCP and UDP • The transport layer is responsible for delivering data to the appropriate application process on the host computers • Unique Identifier : IP:Port (URI) • In short backbone of internet communication
  • 7. Transport Layer Protections • Commonly known as Transport Layer Security (TLS) or formerly Secure Socket Layer (SSL) • Latest version in use TLSv1.2 • Commonly found: SSLv2, SSLv3/TLSv1.0,TLSv1.1 • Uses X509 Certificate based asymetric encryption. • What we generally know as HTTPS • TLS v1.3 in draft since July 2014. • first defined in 1999 and last updated in RFC 5246 (August 2008) and RFC 6176 (March 2011).
  • 8. TLS Certificates • Issued by a CA (Certification Authority) • Follows a chain of trust to establish the identity of a website. • For internal purposes people use self-signed certificate which doesn’t following trusted chain. • Example of trusted chain @ google.com
  • 10. Mobile Prospective Data in transit over TCP / UDP
  • 11. Insecure implementations • Using Known Weak Ciphers / version (SSLv2, RC4, MD5, CBC in SSL3) • Communication using Self-signed certificate (ignoring warning) • Securing only specific portion of communication • Not validating the chain of trust • Mixxing TLS and non TLS content on Page
  • 12. SSL Version 2 • SSL version 2 was designed in 1994 by Netscape. Its 20 years old this year. • Known attacks o Identical cryptographic keys are used for message authentication and encryption. o SSL 2.0 has a weak MAC construction that uses the MD5 hash function with a secret prefix, making it vulnerable to length extension attacks. o SSL 2.0 does not have any protection for the handshake, meaning a man-in-the- middle downgrade attack can go undetected. o SSL 2.0 uses the TCP connection close to indicate the end of data. This means that truncation attacks are possible: the attacker simply forges a TCP FIN, leaving the recipient unaware of an illegitimate end of data message (SSL 3.0 fixes this problem by having an explicit closure alert). o SSL 2.0 assumes a single service and a fixed domain certificate, which clashes with the standard feature of virtual hosting in Web servers. This means that most websites are practically impaired from using SSL • Blocked in most modern browsers (IE 6 users anyone?)
  • 13. Other versions • SSLv3 (was working good till 2012) • SSL 3.0 cipher suites have a weaker key derivation process; half of the master key that is established is fully dependent on the MD5 hash function • More attacks o Renegotiation attack o BEAST attack o CRIME and BREACH attacks o Padding attacks (Lucky 13) o RC4 Attacks o Implementation bugs like (Apple SSL, Heartbleed, GNUTLS Fail)
  • 14. Chain of trust • Establish chain of trust • Ensure the connection has exact same chain of trust as official certificate. • Any certificate in the chain is self-signed, unless it the root. • Not every intermediate certificate is checked, starting from the original certificate all the way up to the root certificate. • An intermediate, CA-signed certificate does not have the expected Basic Constraints or other important extensions. • The root certificate has been compromised or authorized to the wrong party. • Ref : http://cwe.mitre.org/data/definitions/296.html
  • 15. Mixing content • HTTP and HTTPS content • HTTP can be cached and read over the wire. • Analytics and tracking generally use http for quick transaction and hence susceptible.
  • 16. Detecting SSL issues • Launch emulator / start device. • Add proxy settings for burp/zap/ironwasp etc • Run application and check if traffic interception works and application performs its actions. (Implementation is flawed) • Identify end points • End point Implementation flaws : use SSLScan (either original or rbsec/sslscan at github)
  • 18. Preventions • Assume connection is compromised • Disable weak ciphers and versions • Perform entire sensitive communication over TLS • Never allow connection using Self-signed certificate. • Use secure versions of tracking/analytics/ad network SDK • Add a second layer of encryption for sensitive data. • Follow Rules: https://www.owasp.org/index.php/ Transport_Layer_Protection_Cheat_Sheet • Perform certificate validation via Certificate pinning : refer http://www.thoughtcrime.org/blog/authenticity-is-broken- in-ssl-but-your-app-ha/
  • 19. Preventions • iOS: For CFNetwork, use Secure Transport API to designate trusted client certificates • iOS: all NSURL calls (or wrappers of NSURL) do not allow self signed or invalid certificates such as the NSURL class method setAllowsAnyHTTPSCertificate. • iOS Cert Pinning : export your certificate, include it in your app bundle, and anchor it to your trust object. Using the NSURL method connection:willSendRequestForAuthenticationChallenge: will now accept your cert. • Android: ensure org.apache.http.conn.ssl.AllowAllHostnameVerifier or SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER are not present
  • 20. References • https://en.wikipedia.org/wiki/Transport_layer • https://www.owasp.org/index.php/Mobile_Top_10_2014- M3 • http://www2.dcsec.uni-hannover.de/files/android/p50- fahl.pdf • TCP UDP Headers : http://nmap.org/book/tcpip-ref.html • https://commons.wikimedia.org/wiki/ File:Mobile_and_desktop_device_templates.svg • https://openclipart.org/collection/collection-detail/ silpstream/8546 • http://www.troyhunt.com/2013/06/understanding-risk-of-mixed- content.html