Inside SafetyNet - part 3

This post is part of a series: Inside SafetyNet part 1 (Oct 2015) Inside SafetyNet part 2 (Feb 2016) Inside SafetyNet part 3 (Nov 2016) How to implement Attestation securely using server-side checks (my blog, Cigital blog) SafetyNet Playground (POC server-side implementation) Play Store - Android source - PHP source It’s been more than 8 months since my last blog post on Android’s SafetyNet. In that post I was describing an end-of-2015 version of the system (version code 2495818). »

Migrating from Ghost to Hugo

This weekend I migrated my blog from Ghost to Hugo. Ghost is great, but I couldn’t justify running a DigitalOcean droplet just for hosting a blog, maintaining it and updating Ghost all the time. Static pages work just fine. So, after looking around at several static site generators I decided to use Hugo. Here is what I did to migrate: Created a new hugo site on my local system. Got a JSON backup of my Ghost content using the export tool. »

Hiding root with suhide

Update: This post was written after he release of suhide v0.01 and documents that version. Scroll further down for some notes on the newer suhide v0.12. ChainFire recently released suhide, a new “root hiding” mod for SuperSU. It is claimed to beat SafetyNet - and it does, for now - no configuration necessary. Here is some proof, using our SafetyNet Playground app: So how does it do it? suhide.zip is flashed to the device through Android recovery. »

Certificate Pinning for mobile apps - OWASP AppSecEU16 slides

As you might have guessed from previous posts on the topic, I’ve been researching certificate pinning implementations in mobile apps for the last couple of years. Two months ago I presented a talk on certificate pinning at OWASP AppSecEU16 conference in Rome, Italy. The conference was pretty fun, met so many interesting people. So, here are my slides: https://goo.gl/SNuQHN Here’s the official abstract: Pinning Certificates (“Cert Pinning”) trends perennially, coming to the fore with each new SSL hack. »

Testing for CVE-2016-2402 and similar pinning issues

Two weeks ago I published details of an attack method that can be used to bypass various implementations of certificate pinning in Android or generally Java applications. Several applications and frameworks are still vulnerable to the attack, among them every Java or Android application using a version of the popular OkHttp networking library before versions 3.1.2 and 2.7.4. [The OkHttp issue is tracked as CVE-2016-2402] Brief overview Certificate pinning is a control used to mitigate Man-In-The-Middle attacks by privileged attackers. »