Certificate Pinning for mobile apps - OWASP AppSecEU16 slides

As you might have guessed from previous posts on the topic, I’ve been researching certificate pinning implementations in mobile apps for the last couple of years. Two months ago I presented a talk on certificate pinning at OWASP AppSecEU16 conference in Rome, Italy. The conference was pretty fun, met so many interesting people. So, here are the slides and the video. The official abstract: Pinning Certificates (“Cert Pinning”) trends perennially, coming to the fore with each new SSL hack. »

Testing for CVE-2016-2402 and similar pinning issues

Two weeks ago I published details of an attack method that can be used to bypass various implementations of certificate pinning in Android or generally Java applications. Several applications and frameworks are still vulnerable to the attack, among them every Java or Android application using a version of the popular OkHttp networking library before versions 3.1.2 and 2.7.4. [The OkHttp issue is tracked as CVE-2016-2402] Brief overview Certificate pinning is a control used to mitigate Man-In-The-Middle attacks by privileged attackers. »

Inside SafetyNet - part 2

This post is part of a series: Inside SafetyNet part 1 (Oct 2015) Inside SafetyNet part 2 (Feb 2016) Inside SafetyNet part 3 (Nov 2016) How to implement Attestation securely using server-side checks (my blog, Cigital blog) SafetyNet Playground (POC server-side implementation) Play Store - Android source - PHP source It’s been six months since my last blog post on Android’s SafetyNet. I was then examining a mid-July 2015 version of the system. »

Network Security Policy configuration for Android apps

android.security.net.config Capabilities Permit clear-text traffic HSTS enforcement Certificate Pinning Custom Trust Anchors Android engineers have recently been busy building out AndroidNSSP (Android Network Security Provider): a system that application developers will be able to use in order control aspects of the network security policy of their application. It’s been long overdue, and there are various bits and pieces still missing; however important parts were merged to AOSP master about a month ago. »

Using Android's tamper detection securely in your app

In a previous blogpost, I described how Google Play’s SafetyNet service is structured, from a technical perspective, diving deep into details and the checks it perfoms on the device. Recap: Google Play’s SafetyNet service allows your application to gain information about the ‘CTS compatibility’ status of the device you are running on. You can think of CTS compatibility as a mix of rooting detection, device tampering detection and active MitM detection. »