SlideShare ist ein Scribd-Unternehmen logo

Dima Kovalenko - Modern SSL Pinning

OWASP Kyiv
OWASP Kyiv

Dima Kovalenko - Modern SSL Pinning

Technologie
1 von 19
Downloaden Sie, um offline zu lesen
Modern SSL Pinning in iOS system & applications Dima Kovalenko Dec 2, 2017 OWASP Kyiv 2017
Agenda 1. Seasons in the sun 2. Smelly breath of SSL 3. SSL pinning versus SSLKillSwitch 4. Modern techniques to sniff/prevent sniffing SSL traffic 5. Summary
Seasons in the sun From the beginning of the iPhone era to 2010: ● HTTP everywhere ● HTTPs is a very rare beast ● Any HTTP sniffer can see applications’ traffic Life is good!
Seasons in the sun Apple AppStore traffic in 2009
Seasons in the sun Apple AppStore traffic in 2009
Smelly breath of SSL Starting from 2010, more and more iOS apps use SSL. However: ● HTTP protocol is still widely used (now over SSL) ● iOS applications trust system certificate storage It looks like SSL is used mostly to prevent MitM-attacks (stealing passwords, cookies etc) that prevent sniffing traffic from your own device.
Smelly breath of SSL In 2010, the way to bypass SSL is simple: 1. Generate an SSL certificate 2. Add the certificate to iOS system storage 3. Use the certificate in your sniffer
Smelly breath of SSL Numerous instructions how to do it
SSL pinning versus SSLKillSwitch SSL certificate pinning is widely used since about 2012. 1. HTTP is still the core protocol for many iOS apps, but... 2. ...the apps do not trust system certificate storage anymore!
SSL pinning versus SSLKillSwitch So 1. Any app has it’s own “per-app” certificate storage. 2. There is no common implementation of the “per-app” storages (iOS apps hardcode certificates, keep certificates in external files, request certificates on first start and save to app bundle settings etc). 3. There is no common way to sniff SSL traffic anymore!
SSL pinning versus SSLKillSwitch In July 2012, Alban “nabla” Diquet saves all! His research shows that 1. Most of iOS apps (and even iOS itself) use the same system function to check certificate 2. The functions can be hooked/patched to make any certificate valid
SSL pinning versus SSLKillSwitch The nabla’s tool, called SSLKillSwitch, is a MobileSubstrate extension. It hooks 3 important iOS SSL stack functions: ● SSLSetSessionOption(...) ● SSLCreateContext(...) ● SSLHandshake(...) Of course, SSLKillSwitch is not the only tool of this kind, but I believe it’s first and most used.
<!-- DEMO1: SSLKillSwitch against YouTube --> SSL pinning versus SSLKillSwitch
Modern techniques to sniff/prevent sniffing SSL traffic In 2016, iOS app developers start to implement custom SSL validation techniques. The techniques include numerous features, e.g. 1. Pinning public keys (SubjectPublicKeyInfo (SPKI)) vs. certificate pinning 2. Client-side certificates 3. iOS SSL stack functions integrity check… 4. ...and so on SSLKillSwitch and similar tools are not the absolute weapon against SSL pinning anymore!
Modern techniques to sniff/prevent sniffing SSL traffic <!-- DEMO2: hook SSLRead/SSLWrite and sniff Apple Push traffic -->
Modern techniques to sniff/prevent sniffing SSL traffic <!-- DEMO3: patch Instagram openssl-based embedded SSL framework and sniff the traffic -->
Summary Everything is bad!
QUESTIONS?
Twitter: @kov4l3nko Mail: kov4l3nko@gmail.com Blog: https://kov4l3nko.github.io

Empfohlen

Email attachments
Email attachmentsEmail attachments
Email attachments
gmyles
 
Passwords protection
Passwords protectionPasswords protection
Passwords protection
Andrei Angelescu ⚽️💡
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)
Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)
Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)
Terje Wold
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
Tony Perez
 
10 Ways to Prevent Information Security Incidents
10 Ways to Prevent Information Security Incidents10 Ways to Prevent Information Security Incidents
10 Ways to Prevent Information Security Incidents
Echoworx
 
Storage visibility and Optimization. A Story of Ceph
Storage visibility and Optimization. A Story of CephStorage visibility and Optimization. A Story of Ceph
Storage visibility and Optimization. A Story of Ceph
Yathiraj Udupi, Ph.D.
 
Embracing the Open Source Model
Embracing the Open Source ModelEmbracing the Open Source Model
Embracing the Open Source Model
Cisco DevNet
 

Empfohlen

Email attachments
Email attachmentsEmail attachments
Email attachments
gmyles
 
Passwords protection
Passwords protectionPasswords protection
Passwords protection
Andrei Angelescu ⚽️💡
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)
Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)
Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)
Terje Wold
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
Tony Perez
 
10 Ways to Prevent Information Security Incidents
10 Ways to Prevent Information Security Incidents10 Ways to Prevent Information Security Incidents
10 Ways to Prevent Information Security Incidents
Echoworx
 
Storage visibility and Optimization. A Story of Ceph
Storage visibility and Optimization. A Story of CephStorage visibility and Optimization. A Story of Ceph
Storage visibility and Optimization. A Story of Ceph
Yathiraj Udupi, Ph.D.
 
Embracing the Open Source Model
Embracing the Open Source ModelEmbracing the Open Source Model
Embracing the Open Source Model
Cisco DevNet
 
iOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfiOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdf
Cyber security professional services- Detox techno
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
iphonepentest
 
Web API Security
Web API SecurityWeb API Security
Web API Security
Stefaan
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
Sperasoft
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdf
Host It Smart
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
iphonepentest
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
Sophos Benelux
 
UL TS - CSA NL SUMMIT
UL TS - CSA NL SUMMITUL TS - CSA NL SUMMIT
UL TS - CSA NL SUMMIT
Angelo D'Amato
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
Alex Senkevitch
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
Sébastien GIORIA
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
Birju Tank
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
Fwdays
 
Keychain Services Programming Guide
Keychain Services Programming GuideKeychain Services Programming Guide
Keychain Services Programming Guide
DEVTYPE
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
Jared Roberts
 
Secure Your Mobile Content!
Secure Your Mobile Content!Secure Your Mobile Content!
Secure Your Mobile Content!
Mike Brannon
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Webrazzi
 
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv
 
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv
 

Weitere ähnliche Inhalte

Ähnlich wie Dima Kovalenko - Modern SSL Pinning

DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
Alex Senkevitch
 

Ähnlich wie Dima Kovalenko - Modern SSL Pinning (20)

iOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfiOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdf
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdf
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
UL TS - CSA NL SUMMIT
UL TS - CSA NL SUMMITUL TS - CSA NL SUMMIT
UL TS - CSA NL SUMMIT
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
 
Keychain Services Programming Guide
Keychain Services Programming GuideKeychain Services Programming Guide
Keychain Services Programming Guide
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
Secure Your Mobile Content!
Secure Your Mobile Content!Secure Your Mobile Content!
Secure Your Mobile Content!
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
 

Mehr von OWASP Kyiv

Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 

Mehr von OWASP Kyiv (20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
 
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 
Threat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
 
Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
 
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
 
Ivan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
 
Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
 
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
 
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
 
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
 
Vlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
 
Volodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
 
Ihor Bliumental - Collision CORS
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

Dima Kovalenko - Modern SSL Pinning

  • 1. Modern SSL Pinning in iOS system & applications Dima Kovalenko Dec 2, 2017 OWASP Kyiv 2017
  • 2. Agenda 1. Seasons in the sun 2. Smelly breath of SSL 3. SSL pinning versus SSLKillSwitch 4. Modern techniques to sniff/prevent sniffing SSL traffic 5. Summary
  • 3. Seasons in the sun From the beginning of the iPhone era to 2010: ● HTTP everywhere ● HTTPs is a very rare beast ● Any HTTP sniffer can see applications’ traffic Life is good!
  • 4. Seasons in the sun Apple AppStore traffic in 2009
  • 5. Seasons in the sun Apple AppStore traffic in 2009
  • 6. Smelly breath of SSL Starting from 2010, more and more iOS apps use SSL. However: ● HTTP protocol is still widely used (now over SSL) ● iOS applications trust system certificate storage It looks like SSL is used mostly to prevent MitM-attacks (stealing passwords, cookies etc) that prevent sniffing traffic from your own device.
  • 7. Smelly breath of SSL In 2010, the way to bypass SSL is simple: 1. Generate an SSL certificate 2. Add the certificate to iOS system storage 3. Use the certificate in your sniffer
  • 8. Smelly breath of SSL Numerous instructions how to do it
  • 9. SSL pinning versus SSLKillSwitch SSL certificate pinning is widely used since about 2012. 1. HTTP is still the core protocol for many iOS apps, but... 2. ...the apps do not trust system certificate storage anymore!
  • 10. SSL pinning versus SSLKillSwitch So 1. Any app has it’s own “per-app” certificate storage. 2. There is no common implementation of the “per-app” storages (iOS apps hardcode certificates, keep certificates in external files, request certificates on first start and save to app bundle settings etc). 3. There is no common way to sniff SSL traffic anymore!
  • 11. SSL pinning versus SSLKillSwitch In July 2012, Alban “nabla” Diquet saves all! His research shows that 1. Most of iOS apps (and even iOS itself) use the same system function to check certificate 2. The functions can be hooked/patched to make any certificate valid
  • 12. SSL pinning versus SSLKillSwitch The nabla’s tool, called SSLKillSwitch, is a MobileSubstrate extension. It hooks 3 important iOS SSL stack functions: ● SSLSetSessionOption(...) ● SSLCreateContext(...) ● SSLHandshake(...) Of course, SSLKillSwitch is not the only tool of this kind, but I believe it’s first and most used.
  • 13. <!-- DEMO1: SSLKillSwitch against YouTube --> SSL pinning versus SSLKillSwitch
  • 14. Modern techniques to sniff/prevent sniffing SSL traffic In 2016, iOS app developers start to implement custom SSL validation techniques. The techniques include numerous features, e.g. 1. Pinning public keys (SubjectPublicKeyInfo (SPKI)) vs. certificate pinning 2. Client-side certificates 3. iOS SSL stack functions integrity check… 4. ...and so on SSLKillSwitch and similar tools are not the absolute weapon against SSL pinning anymore!
  • 15. Modern techniques to sniff/prevent sniffing SSL traffic <!-- DEMO2: hook SSLRead/SSLWrite and sniff Apple Push traffic -->
  • 16. Modern techniques to sniff/prevent sniffing SSL traffic <!-- DEMO3: patch Instagram openssl-based embedded SSL framework and sniff the traffic -->