SlideShare a Scribd company logo

Certificate Pinning in Mobile Applications

Luca Bongiorni
Luca Bongiorni

The document discusses certificate pinning and provides information on implementing it for Android, iOS, and Windows platforms. It describes certificate pinning as associating a host with an expected certificate or public key to prevent man-in-the-middle attacks. The document outlines pros and cons of certificate pinning, and provides code examples and links to resources for implementing pinning on different mobile platforms.

Technology
1 of 17
Download to read offline
OWASP Lithuania - Luca Bongiorni – 05/03/2015
 Introduction to Pinning  Why is good to have it...  State of Art – Android / iOS / Win  Conclusion – Pros & Cons 2
3  Mobile applications frequently do not protect network traffic.  They may use SSL/TLS during authentication but not elsewhere. This inconsistency leads to the risk of exposing data and session IDs to interception. Business Impact  Loss of Confidentiality and Integrity  Company’s reputation at risk  Incident response costs $$$  Possible legal issues (e.g. violation of ISO/PCI requirements) Mitigation  Use End-to-End encryption between browser and web server (HTTPS) ► SSL/TLS ► Certificate Pinning !
4 Pinning is the process of associating a host with their expected *{X509 certificate || public key}. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. <…> • The pre-existing relationship between the user and an organization helps make better security related decisions. • No longer needs to depend on others (e.g. CAs) when making security decisions relating to a peer's identity!
5  The certificate is easiest to pin. When the certificate expires, you would update your application.  Public key pinning is more flexible but a little trickier due to the extra steps necessary to extract the public key from a certificate. o As with a certificate, the program checks the extracted public key with its embedded copy of the public key. o It is harder to work with keys (Vs. certificates) since you usually must extract the key from the certificate. Extraction is a minor inconvenience in Java, buts its uncomfortable in Cocoa and OpenSSL. o The key is static and may violate key rotation policies.
 Introduction to Pinning  Why is good to have it...  State of Art – Android / iOS / Win  Conclusion – Pros & Cons 6
7 “An IMSI-Catcher (International Mobile Subscriber Identity) is a telephony eavesdropping device used for intercepting mobile phone traffic and tracking movement of subscribers. Essentially a "fake" mobile tower acting between the target mobile phone and the MNO's real BTSes, it is considered a Man-In-The-Middle (MITM) attack.” Fake WiFi AP + jam real AP? ARP Poisoning?… Old known boring threats.
8
9
 Introduction to Pinning  Why is good to have it...  State of Art – Android / iOS / Win  Conclusion – Pros & Cons 10
11 Pinning is accomplished through a custom X509TrustManager API. Google Chrome PubKey pinning style. Customized version of TrustManager from Moxie Marlinspike available at: https://github.com/moxie0/AndroidPinning public PinningTrustManager(SystemKeyStore keyStore, String[] pins, long enforceUntilTimestampMillis) { this.systemTrustManagers = initializeSystemTrustManagers(keyStore); this.systemKeyStore = keyStore; this.enforceUntilTimestampMillis = enforceUntilTimestampMillis; for (String pin : pins) { this.pins.add(hexStringToByteArray(pin)); } } Constructs a PinningTrustManager with a set of valid pins. @param keyStore A SystemKeyStore that validation will be based on. @param pins An array of encoded pins to match a seen certificate chain against. A pin is a hex- encoded hash of a X.509 certificate's SubjectPublicKeyInfo. A pin can be generated using the provided ./tools/pin.py certificate_file.pem @param enforceUntilTimestampMillis A timestamp (in milliseconds) when pins will stop being enforced. Normal non-pinned certificate validation will continue. Set this to some period after your build date, or to 0 to enforce pins forever.
12 The method used to Ping Certificates is :connection:willSendRequestForAuthenticationChallenge: inside the NSURLConnectionDelegate protocol. This method gets called when an SSL connection is made, giving the developer, a chance to inspect the authentication challenge and either proceed or fail. The code below shows how you can check the certificate sent by the server, with a known certificate embedded in your applications.
After doing await and socket.UpgradeToSslAsync(), check socket.Information.ServerCertificate for the cert that was provided by the server. You can verify that it's the cert you were expecting before you send any data. 13 The majority of Windows Phone 8 applications on the Marketplace lack certificate pinning due to the difficulty of implementing this security measure on the platform. Possible solutions: • For Win 8.0: Use an open source third party library for SSL such as OpenSSL or Bouncy Castle crypto Libs and attempt to build for Windows Phone. Cons: It may require significant effort to implement correctly. • For Win 8.0: Use a commercial library supporting SSL pinning: SecureBlackBox (https://www.eldos.com/sbb/). Cons: $$$ • >= Win 8.1: Thanks to the use of StreamSocket we can read the contents of the certificate via StreamSocket.Information.ServerCertificate property. StreamSocket s = new StreamSocket(); await s.ConnectAsync(new HostName(SrvURL), "443"); s.UpgradeToSslAsync(SocketProtectionLevel.Ssl, new HostName(SrvURL)); var certificate = s.Information.ServerCertificate;
 Introduction to Pinning  Why is good to have it...  State of Art – Android / iOS / Win  Conclusion – Pros & Cons 14
PROS 15  Better Security: Drastically reduce the ability to conduct successful MITM attacks.  Not Hard to Implement: Not as difficult as it seems to implement a basic certificate pinning.  Cost Saving: By using a self-signed certificate is possible reduce the costs, instead of paying for a certificate. • Possible problems in case of Certificate or PubKey revocation. • Egress filtering in a corporate environment (i.e. Interception Proxy) • The certificate embedded in your app will eventually expire. Your have to either plan for an app update that contains an updated certificate, or code a way for the application to download the new certificate, which is hardly achievable in practice. CONS
16 • https://www.owasp.org/index.php/Mobile_Top_10_2014-M3 • https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning • https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21 • https://www.owasp.org/index.php/Pinning_Cheat_Sheet • http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/ • http://developer.android.com/reference/android/net/http/X509TrustManagerExte nsions.html • https://www.isecpartners.com/blog/2013/february/ssl-pinning-on-ios.aspx • www.doubleencore.com/2013/03/ssl-pinning-for-increased-app-security/ • http://blog.soat.fr/2014/11/wp8-problematique-du-certificate-pinning/ • http://www.slideshare.net/iazza/dcm-final-23052013fullycensored • http://chargen.matasano.com/chargen/2015/1/6/bypassing-openssl-certificate- pinning-in-ios-apps.html
17

Recommended

OReilly-Web-Application-Security-NGINX.pdf
OReilly-Web-Application-Security-NGINX.pdfOReilly-Web-Application-Security-NGINX.pdf
OReilly-Web-Application-Security-NGINX.pdf
RazaMehmood7
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
Certificate pinning v certificate transparency
Certificate pinning v certificate transparencyCertificate pinning v certificate transparency
Certificate pinning v certificate transparency
DianaKhersonskaia
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
APIsecure_ Official
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 

Recommended

OReilly-Web-Application-Security-NGINX.pdf
OReilly-Web-Application-Security-NGINX.pdfOReilly-Web-Application-Security-NGINX.pdf
OReilly-Web-Application-Security-NGINX.pdf
RazaMehmood7
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
Certificate pinning v certificate transparency
Certificate pinning v certificate transparencyCertificate pinning v certificate transparency
Certificate pinning v certificate transparency
DianaKhersonskaia
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
APIsecure_ Official
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
Charles Moulliard
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Mobil Uygulama Güvenliği (Mobile Security)
Mobil Uygulama Güvenliği (Mobile Security)Mobil Uygulama Güvenliği (Mobile Security)
Mobil Uygulama Güvenliği (Mobile Security)
Cihan Özhan
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105
Thomas Treml
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Ajin Abraham
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
Prashant Hegde
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
CA Technologies
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 

More Related Content

What's hot

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 

What's hot (20)

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Security enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & KeycloakSecurity enforcement of Java Microservices with Apiman & Keycloak
Security enforcement of Java Microservices with Apiman & Keycloak
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Mobil Uygulama Güvenliği (Mobile Security)
Mobil Uygulama Güvenliği (Mobile Security)Mobil Uygulama Güvenliği (Mobile Security)
Mobil Uygulama Güvenliği (Mobile Security)
 
Zero Trust 20211105
Zero Trust 20211105 Zero Trust 20211105
Zero Trust 20211105
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 

Viewers also liked

NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Real Life Clean Architecture
Real Life Clean ArchitectureReal Life Clean Architecture
Real Life Clean Architecture
Mattia Battiston
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
Avinash Sinha
 

Viewers also liked (20)

SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Pentesting Android with BackBox 4
Pentesting Android with BackBox 4Pentesting Android with BackBox 4
Pentesting Android with BackBox 4
 
Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013
 
Forms4all
Forms4allForms4all
Forms4all
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Penetrating Android Aapplications
Penetrating Android AapplicationsPenetrating Android Aapplications
Penetrating Android Aapplications
 
Espresso Barista
Espresso BaristaEspresso Barista
Espresso Barista
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Toward Better Password Requirements
Toward Better Password RequirementsToward Better Password Requirements
Toward Better Password Requirements
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
 
«Автотесты» Вадим Пуштаев, программист отдела внутренней разработки Поиска Ma...
«Автотесты» Вадим Пуштаев, программист отдела внутренней разработки Поиска Ma...«Автотесты» Вадим Пуштаев, программист отдела внутренней разработки Поиска Ma...
«Автотесты» Вадим Пуштаев, программист отдела внутренней разработки Поиска Ma...
 
Java Tools and Technologies Landscape for 2014 (image gallery)
Java Tools and Technologies Landscape for 2014 (image gallery)Java Tools and Technologies Landscape for 2014 (image gallery)
Java Tools and Technologies Landscape for 2014 (image gallery)
 
Real Life Clean Architecture
Real Life Clean ArchitectureReal Life Clean Architecture
Real Life Clean Architecture
 
JavaStart - kurs Java Podstawy
JavaStart - kurs Java PodstawyJavaStart - kurs Java Podstawy
JavaStart - kurs Java Podstawy
 
«Coro. Intro» Евгений Вансевич, программист Почты Mail.Ru
«Coro. Intro» Евгений Вансевич, программист Почты Mail.Ru«Coro. Intro» Евгений Вансевич, программист Почты Mail.Ru
«Coro. Intro» Евгений Вансевич, программист Почты Mail.Ru
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
 
Model-based Analysis of Java EE Web Security Configurations - Mise 2016
Model-based Analysis of Java EE Web Security Configurations - Mise 2016Model-based Analysis of Java EE Web Security Configurations - Mise 2016
Model-based Analysis of Java EE Web Security Configurations - Mise 2016
 

Similar to Certificate Pinning in Mobile Applications

Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
webhostingguy
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hamzaaqqa7
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 

Similar to Certificate Pinning in Mobile Applications (20)

Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
Online Authentication
Online AuthenticationOnline Authentication
Online Authentication
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
 
Certificate Validation using block chain
Certificate Validation using block chainCertificate Validation using block chain
Certificate Validation using block chain
 
Understanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by SymantecUnderstanding SSL Certificate for Apps by Symantec
Understanding SSL Certificate for Apps by Symantec
 
Jsse
JsseJsse
Jsse
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL Certificates
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
Building Highly Secure Cloud-Native Applications on PAS with Ease - Jignesh S...
Building Highly Secure Cloud-Native Applications on PAS with Ease - Jignesh S...Building Highly Secure Cloud-Native Applications on PAS with Ease - Jignesh S...
Building Highly Secure Cloud-Native Applications on PAS with Ease - Jignesh S...
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 

More from Luca Bongiorni

HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...
Luca Bongiorni
 
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyManufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Luca Bongiorni
 
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Luca Bongiorni
 

More from Luca Bongiorni (6)

HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...
 
ANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playsetANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playset
 
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyManufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
 
How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1
 
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Certificate Pinning in Mobile Applications

  • 1. OWASP Lithuania - Luca Bongiorni – 05/03/2015
  • 2.  Introduction to Pinning  Why is good to have it...  State of Art – Android / iOS / Win  Conclusion – Pros & Cons 2
  • 3. 3  Mobile applications frequently do not protect network traffic.  They may use SSL/TLS during authentication but not elsewhere. This inconsistency leads to the risk of exposing data and session IDs to interception. Business Impact  Loss of Confidentiality and Integrity  Company’s reputation at risk  Incident response costs $$$  Possible legal issues (e.g. violation of ISO/PCI requirements) Mitigation  Use End-to-End encryption between browser and web server (HTTPS) ► SSL/TLS ► Certificate Pinning !
  • 4. 4 Pinning is the process of associating a host with their expected *{X509 certificate || public key}. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host. <…> • The pre-existing relationship between the user and an organization helps make better security related decisions. • No longer needs to depend on others (e.g. CAs) when making security decisions relating to a peer's identity!
  • 5. 5  The certificate is easiest to pin. When the certificate expires, you would update your application.  Public key pinning is more flexible but a little trickier due to the extra steps necessary to extract the public key from a certificate. o As with a certificate, the program checks the extracted public key with its embedded copy of the public key. o It is harder to work with keys (Vs. certificates) since you usually must extract the key from the certificate. Extraction is a minor inconvenience in Java, buts its uncomfortable in Cocoa and OpenSSL. o The key is static and may violate key rotation policies.
  • 6.  Introduction to Pinning  Why is good to have it...  State of Art – Android / iOS / Win  Conclusion – Pros & Cons 6
  • 7. 7 “An IMSI-Catcher (International Mobile Subscriber Identity) is a telephony eavesdropping device used for intercepting mobile phone traffic and tracking movement of subscribers. Essentially a "fake" mobile tower acting between the target mobile phone and the MNO's real BTSes, it is considered a Man-In-The-Middle (MITM) attack.” Fake WiFi AP + jam real AP? ARP Poisoning?… Old known boring threats.
  • 8. 8
  • 9. 9
  • 10.  Introduction to Pinning  Why is good to have it...  State of Art – Android / iOS / Win  Conclusion – Pros & Cons 10
  • 11. 11 Pinning is accomplished through a custom X509TrustManager API. Google Chrome PubKey pinning style. Customized version of TrustManager from Moxie Marlinspike available at: https://github.com/moxie0/AndroidPinning public PinningTrustManager(SystemKeyStore keyStore, String[] pins, long enforceUntilTimestampMillis) { this.systemTrustManagers = initializeSystemTrustManagers(keyStore); this.systemKeyStore = keyStore; this.enforceUntilTimestampMillis = enforceUntilTimestampMillis; for (String pin : pins) { this.pins.add(hexStringToByteArray(pin)); } } Constructs a PinningTrustManager with a set of valid pins. @param keyStore A SystemKeyStore that validation will be based on. @param pins An array of encoded pins to match a seen certificate chain against. A pin is a hex- encoded hash of a X.509 certificate's SubjectPublicKeyInfo. A pin can be generated using the provided ./tools/pin.py certificate_file.pem @param enforceUntilTimestampMillis A timestamp (in milliseconds) when pins will stop being enforced. Normal non-pinned certificate validation will continue. Set this to some period after your build date, or to 0 to enforce pins forever.
  • 12. 12 The method used to Ping Certificates is :connection:willSendRequestForAuthenticationChallenge: inside the NSURLConnectionDelegate protocol. This method gets called when an SSL connection is made, giving the developer, a chance to inspect the authentication challenge and either proceed or fail. The code below shows how you can check the certificate sent by the server, with a known certificate embedded in your applications.
  • 13. After doing await and socket.UpgradeToSslAsync(), check socket.Information.ServerCertificate for the cert that was provided by the server. You can verify that it's the cert you were expecting before you send any data. 13 The majority of Windows Phone 8 applications on the Marketplace lack certificate pinning due to the difficulty of implementing this security measure on the platform. Possible solutions: • For Win 8.0: Use an open source third party library for SSL such as OpenSSL or Bouncy Castle crypto Libs and attempt to build for Windows Phone. Cons: It may require significant effort to implement correctly. • For Win 8.0: Use a commercial library supporting SSL pinning: SecureBlackBox (https://www.eldos.com/sbb/). Cons: $$$ • >= Win 8.1: Thanks to the use of StreamSocket we can read the contents of the certificate via StreamSocket.Information.ServerCertificate property. StreamSocket s = new StreamSocket(); await s.ConnectAsync(new HostName(SrvURL), "443"); s.UpgradeToSslAsync(SocketProtectionLevel.Ssl, new HostName(SrvURL)); var certificate = s.Information.ServerCertificate;
  • 14.  Introduction to Pinning  Why is good to have it...  State of Art – Android / iOS / Win  Conclusion – Pros & Cons 14
  • 15. PROS 15  Better Security: Drastically reduce the ability to conduct successful MITM attacks.  Not Hard to Implement: Not as difficult as it seems to implement a basic certificate pinning.  Cost Saving: By using a self-signed certificate is possible reduce the costs, instead of paying for a certificate. • Possible problems in case of Certificate or PubKey revocation. • Egress filtering in a corporate environment (i.e. Interception Proxy) • The certificate embedded in your app will eventually expire. Your have to either plan for an app update that contains an updated certificate, or code a way for the application to download the new certificate, which is hardly achievable in practice. CONS
  • 16. 16 • https://www.owasp.org/index.php/Mobile_Top_10_2014-M3 • https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning • https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21 • https://www.owasp.org/index.php/Pinning_Cheat_Sheet • http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-your-app-ha/ • http://developer.android.com/reference/android/net/http/X509TrustManagerExte nsions.html • https://www.isecpartners.com/blog/2013/february/ssl-pinning-on-ios.aspx • www.doubleencore.com/2013/03/ssl-pinning-for-increased-app-security/ • http://blog.soat.fr/2014/11/wp8-problematique-du-certificate-pinning/ • http://www.slideshare.net/iazza/dcm-final-23052013fullycensored • http://chargen.matasano.com/chargen/2015/1/6/bypassing-openssl-certificate- pinning-in-ios-apps.html
  • 17. 17