SlideShare a Scribd company logo

Microsoft Bluehat 2017: Mobile SSL Interception

H
Himanshu Dwivedi

Where, how, and why is SSL traffic on mobile getting intercepted? A look at three million real-world SSL incidents.

Technology
1 of 78
Mobile SSL Interception in the Wild Where, how, and why? Alban Diquet Thomas Sileo Data Theorem BlueHat 2017
Agenda • Data collection methodology • Data set and analysis of forged SSL certificates • Results of the analysis • Conclusion
Data Collection Methodology
TrustKit • Open-source library for SSL reporting and SSL pinning • Released for iOS in 2015 and for Android earlier this year • https://github.com/datatheorem/TrustKit • Makes it easy to monitor and improve the security of the app’s network connections
SSL Pinning • Hardcode in the app the SSL public key(s) to be expected to be used by the app’s server(s)
SSL Pinning • Hardcode in the app the SSL public key(s) to be expected to be used by the app’s server(s)
SSL Pinning • Hardcode in the app the SSL public key(s) to be expected to be used by the app’s server(s)
SSL Pinning • Hardcode in the app the SSL public key(s) to be expected to be used by the app’s server(s) lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=
SSL Reporting • Send a report whenever an SSL error occurred • Default/OS SSL validation error • Name mismatch, expired certificate, untrusted CA, etc. • TrustKit Pinning validation error • Pinned SSL key not found in the server’s chain App Server
SSL Reporting { "app-bundle-id": "com.datatheorem.testtrustkit", "app-version": “1.2", "app-vendor-id": "599F9C00-92DC-4B5C-9464-7971F01F8370", "app-platform": "IOS", "trustkit-version": “1.5.3", "hostname": "www.datatheorem.com", "port": 443, "noted-hostname": "datatheorem.com", "include-subdomains": true, "enforce-pinning": true, "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2015-06-08T01:58:05Z", "known-pins": [ "pin-sha256="rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="", "pin-sha256="TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY="" ], "validation-result": 1 }
SSL Reporting • TrustKit can be configured to send the reports to any domain • Data Theorem hosts one for free that developers can leverage • Dashboard to see trends and inspect individual reports • Notifications for when something unexpected happens • Suspicious actor, spike in reports, etc.
Demo
Data Set and Report Classification
The Data Set • From nearly 2 000 different apps • Banking • Shopping • Music/streaming • News Top Platform iOS 93.3% Android 5.3% macOS 1% tvOS 0.4%
The Data Set Top Countries US 71% GB 9.5% TW 7.3% CA 1.8% HK 1.3%
The Data Set • 3.3 million unique certificate chains • 78% of the certificates matched the hostname • Actual interception attempts Certificate chain depth 2 62.2% 3 24% 1 11.4% 4 1.8% 5 0.5% 6 0.001%
Report Classification • Use different heuristics to try to find the root cause • By looking at the content of the report, mainly the certificate chain • Save some metadata along with the server date • Contact the server for the hostname that was in the report, to fetch its “real” certificate chain
Report Classification • Perform default SSL validation on the certificate chain • Leverage a set of rules that can target: • A specific certificate or a specific public key • Any certificate fields (Common Name, etc.)
Report Classification dev_tools: PortSwigger: root: - 'PortSwigger CA' Fiddler: root: - 'DO_NOT_TRUST_FiddlerRoot' Charles Proxy: root: - !regexp '^Charles Proxy Custom Root Certificate (built on .+)$' - !regexp '^Charles Proxy CA (.+)$' mitmproxy: root: - 'mitmproxy' […]
Report Classification { "app-bundle-id": “com.datatheorem.corporate_proxy", "hostname": "www.datatheorem.com", “validated-certificate-chain”: [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": “…", raw report
{ "app-bundle-id": “com.datatheorem.corporate_proxy", "hostname": "www.datatheorem.com", “validated-certificate-chain”: [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": “…", Report Classification raw report
{ "app-bundle-id": “com.datatheorem.corporate_proxy", "hostname": "www.datatheorem.com", “validated-certificate-chain”: [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": “…", Report Classification raw report "…": […], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", “-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "received_at”: “2017-03-03T21:27:25Z", } report metadata
{ "app-bundle-id": “com.datatheorem.corporate_proxy", "hostname": "www.datatheorem.com", “validated-certificate-chain”: [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": “…", Report Classification raw report "…": […], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", “-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "received_at”: “2017-03-03T21:27:25Z", } report metadata !=
Report Classification { "app-bundle-id": “com.datatheorem.corporate_proxy", "hostname": "www.datatheorem.com", “validated-certificate-chain”: [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": “…", { "certificate_chain_infos": [ {"issuer": {"common_name":"Fortigate CA", “…": […], raw report certificate chain info
Report Classification flagged for manual review corporate_appliance: Cisco Umbrella: url: 'https://umbrella.cisco.com/' root: - 'Cisco Umbrella Primary SubCA' […] { "certificate_chain_infos": [ {"issuer": {"common_name":"Fortigate CA", “…": […], certificate chain info classifier ruleset
Report Classification corporate_appliance / Fortinet corporate_appliance: […] Fortinet: leaf: - !IssuerCommonName 'FortiGate CA' […] { "certificate_chain_infos": [ {"issuer": {"common_name":"Fortigate CA", “…": […], certificate chain info classifier ruleset
Results of the Analysis
Classification Categories 9 195 807 reports
Classification Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Captive Portals 11% Not Reviewed Yet 6% Server Misconfig 4.3% Corp Networks 2.2% Unknown 2.5% Client Clock Misconfig 0.5% Dev Artifacts 0.5%
Non-Mitm Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconfig 0.5% Server Misconfig 4.3%
Non-Mitm Categories 9 195 807 reports Server Misconfig 4.3%
Server Misconfiguration • Category for servers with expired SSL certificates • Huge spike of report when a certificate deployed in production expired:
Non-Mitm Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconfig 0.5% Server Misconfig 4.3%
Previous Work • Data from Chrome desktop for google.com:
Non-Mitm Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconfig 0.5% Server Misconfig 4.3%
Classification Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Captive Portals 11% Not Reviewed Yet 6% Server Misconfig 4.3% Corp Networks 2.2% Unknown 2.5% Client Clock Misconfig 0.5% Dev Artifacts 0.5%
Mitm Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Dev Artifacts 0.5% Corp Networks 2.2%
Mitm Categories 9 195 807 reports Dev Artifacts 0.5%
Development Proxies
Mitm Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Dev Artifacts 0.5% Corp Networks 2.2%
Mitm Categories 9 195 807 reports Corp Networks 2.2%
Corporate Networks
Corporate Networks • For servers with a 2048 RSA certificate, what is the size of the middlebox’s certificate? Middlebox Downgrade 158 375 reports 2048-bit 68% 1024-bit 29% 2432-bit 1.9% 4096-bit 1.1% 512-bit 0.14% • 29% of reports showed a downgrade to RSA 1024 or less • TLS 1.3: big debate around encryption VS inspection
Mitm Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Dev Artifacts 0.5% Corp Networks 2.2%
Mitm Categories 9 195 807 reports Pins Misconfig 34%
Pins Misconfiguration • The SSL pins hardcoded in the app do not match the server’s “real" certificate chain! • With enforce-pinning disabled: • The app still works but is constantly sending reports • With enforce-pinning enabled: • The app’s connections will always fail
Pins Misconfiguration • 22% of apps with misconfigured SSL pins • Pressure on mobile developers to implement SSL pinning in their apps • From security teams, bug bounties, etc. • But most apps do not need it • Significant logistical overheard to keep pins in the app in sync with the server SSL keys
Pins Misconfiguration
Pins Misconfiguration
“Several thousands of customers of small and medium-sized businesses, operating mostly in the UK market, will not be able to perform any transactions from 8.30 a.m. 25/11/16 on a "Black Friday" and during the holiday shopping period. This will affect hundreds of thousands of customer's transactions, until the application is updated, and then released again.”
Mitm Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Dev Artifacts 0.5% Corp Networks 2.2%
Mitm Categories 9 195 807 reports Spyware 39%
Spyware Categories Market Intelligence
 3 580 078 reports Ad Blocker
 18 463 reports Parental Control
 10 820 reports
Spyware Categories Market Intelligence
 3 580 078 reports MobileXpression 91% Digital Reflection 4% Verto Analytics 3.3% Luth 1.4% AnalyzeMe 0.3% Ad Blocker
 18 463 reports Parental Control
 10 820 reports
Spyware - Market Intel • Mainly investigated MobileXpression and Digital Reflection • Common Name of the intercepting root/CA certificate • Large number of reports across ~20 000 devices • Only seen on iOS devices
MobileXpression
Demo
MobileXpression
MobileXpression
What Happened? • A configuration profile was installed on the device • With an always-on VPN config • To route all traffic through the MobileXpression server • With a custom root CA added to the device’s trust store • To allow traffic decryption by the MobileXpression server MobileXpression VPN App Server
MobileXpression? “MobileXpression is a service of comScore, Inc., a global leader in measuring the digital world, providing insights into consumer behavior and attitudes.”
ComScore • Owner of several “market research” apps • MobileXpression, Digital Reflection • Promise users rewards (gif cards, etc.) for installing the app and configuration profile
ComScore • Owner of several “market research” apps • MobileXpression, Digital Reflection • Promise users rewards (gif cards, etc.) for installing the app and configuration profile
ComScore “This capability is based on a massive, global cross-section of approximately 2 million consumers, who have allowed comScore to collect their online browsing, hardware and application usage, and purchasing behavior.”
ComScore • Inspect/decrypt all the users’ traffic to measure app usage • ComScore’s business model as a "measurement company”
Spyware - Market Intel • Configuration profiles are problematic • Highly technical security warnings when installing the profile • The profile/VPN does not get uninstalled when removing the app • Makes sense from a technical perspective but will confuse users • But not an easy issue to fix • Corporate enrollment / MDM use case • A profile can be installed directly via Safari • Banning the spyware app from the store does not prevent it
Spyware Categories Market Intelligence
 3 580 078 reports Ad Blocker
 18 463 reports Parental Control
 10 820 reports
Spyware Categories Market Intelligence
 3 580 078 reports Parental Control
 10 820 reports Ad Blocker
 18 463 reports Defend My WiFi 59% AdBl0ck 34% AdGuard 7%
Spyware - Ad Blocker • Similar technical implementation with a VPN and custom CA • Defend My WiFi • "Automatically turns public Wi-Fi into safe and secure private WiFi” • Company does not exist anymore? • Adblock Mobile • iOS 8: SSL mitm on ad domains only • iOS 9+: No more custom CA installed
Spyware Categories Market Intelligence
 3 580 078 reports Ad Blocker
 18 463 reports Parental Control
 10 820 reports
Spyware Categories Market Intelligence
 3 580 078 reports Ad Blocker
 18 463 reports Parental Control
 10 820 reports Qustodio 74% Accountable2You 24% Circle Go 2%
Spyware - Parental Control • Qustodio, Accountable2You, Circle Go • Parental control/monitoring tools
Conclusion
What did we see? • Traffic interception does happen, and for many reasons • It has an impact on the security of the connection • Usually not malicious • Employers • Users “willingly” sharing their data for a reward • No visible move from Apple and Google on this
What do we do? • Which group does your app belong to? • It is acceptable to expose the user’s data to “lawful interception” (such as the user’s employer) • Games, Business apps • The user’s data is private and can never be exposed • Mobile banking • Can be technically enforced via SSL pinning
What do we do? • More options on mobile compared to the web • SSL reporting can help understand what is happening across your user base • SSL pinning can be used for sensitive apps • Does not prevent reverse-engineering of your app • Significant burden and risk of catastrophic failure • Must be decided and planned carefully
Thanks! @nabla_c0d3 @trucsdedev
Questions? @nabla_c0d3 @trucsdedev

Recommended

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
BSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesBSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesJason Trost
 
SECURE CLOUD STORAGE FOR REMOTE MOBILE DATA COLLECTION, Federico Mancini, UiB
SECURE CLOUD STORAGE FOR REMOTE MOBILE DATA COLLECTION, Federico Mancini, UiBSECURE CLOUD STORAGE FOR REMOTE MOBILE DATA COLLECTION, Federico Mancini, UiB
SECURE CLOUD STORAGE FOR REMOTE MOBILE DATA COLLECTION, Federico Mancini, UiBThe Research Council of Norway, IKTPLUSS
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACKMITRE - ATT&CKcon
 
An Adversarial View of SaaS Malware Sandboxes
An Adversarial View of SaaS Malware SandboxesAn Adversarial View of SaaS Malware Sandboxes
An Adversarial View of SaaS Malware SandboxesJason Trost
 

Recommended

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
BSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesBSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesJason Trost
 
SECURE CLOUD STORAGE FOR REMOTE MOBILE DATA COLLECTION, Federico Mancini, UiB
SECURE CLOUD STORAGE FOR REMOTE MOBILE DATA COLLECTION, Federico Mancini, UiBSECURE CLOUD STORAGE FOR REMOTE MOBILE DATA COLLECTION, Federico Mancini, UiB
SECURE CLOUD STORAGE FOR REMOTE MOBILE DATA COLLECTION, Federico Mancini, UiBThe Research Council of Norway, IKTPLUSS
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACKMITRE - ATT&CKcon
 
An Adversarial View of SaaS Malware Sandboxes
An Adversarial View of SaaS Malware SandboxesAn Adversarial View of SaaS Malware Sandboxes
An Adversarial View of SaaS Malware SandboxesJason Trost
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECDeploy360 Programme (Internet Society)
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-idAlberto Rivai
 
Configuring asa site to-site vp ns
Configuring asa site to-site vp nsConfiguring asa site to-site vp ns
Configuring asa site to-site vp nschiensy
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationCloudflare
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerRob Ragan
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesNelson Calero
 

More Related Content

What's hot

Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-idAlberto Rivai
 
Configuring asa site to-site vp ns
Configuring asa site to-site vp nsConfiguring asa site to-site vp ns
Configuring asa site to-site vp nschiensy
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationCloudflare
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerRob Ragan
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 

What's hot (20)

ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
 
Configuring asa site to-site vp ns
Configuring asa site to-site vp nsConfiguring asa site to-site vp ns
Configuring asa site to-site vp ns
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On) Splunk Enterprise for Information Security (Hands-On)
Splunk Enterprise for Information Security (Hands-On)
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
 
Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?Cryptzone: What is a Software-Defined Perimeter?
Cryptzone: What is a Software-Defined Perimeter?
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 

Similar to Microsoft Bluehat 2017: Mobile SSL Interception

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesNelson Calero
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB
 
NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_SentinelMike Mihm
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explainedCisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explainedCisco Canada
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUlf Mattsson
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?mirmaisam
 
BuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsBuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsJason Strate
 

Similar to Microsoft Bluehat 2017: Mobile SSL Interception (20)

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
 
NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_Sentinel
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Tech t18
Tech t18Tech t18
Tech t18
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
State of the Web
State of the WebState of the Web
State of the Web
 
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explainedCisco Connect Ottawa 2018 cloud and on premises collaboration security explained
Cisco Connect Ottawa 2018 cloud and on premises collaboration security explained
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENTUNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
UNCOVER DATA SECURITY BLIND SPOTS IN YOUR CLOUD, BIG DATA & DEVOPS ENVIRONMENT
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?
 
BuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsBuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended Events
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
 
Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25
 

Recently uploaded

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Microsoft Bluehat 2017: Mobile SSL Interception

  • 1. Mobile SSL Interception in the Wild Where, how, and why? Alban Diquet Thomas Sileo Data Theorem BlueHat 2017
  • 2. Agenda • Data collection methodology • Data set and analysis of forged SSL certificates • Results of the analysis • Conclusion
  • 4. TrustKit • Open-source library for SSL reporting and SSL pinning • Released for iOS in 2015 and for Android earlier this year • https://github.com/datatheorem/TrustKit • Makes it easy to monitor and improve the security of the app’s network connections
  • 5. SSL Pinning • Hardcode in the app the SSL public key(s) to be expected to be used by the app’s server(s)
  • 6. SSL Pinning • Hardcode in the app the SSL public key(s) to be expected to be used by the app’s server(s)
  • 7. SSL Pinning • Hardcode in the app the SSL public key(s) to be expected to be used by the app’s server(s)
  • 8. SSL Pinning • Hardcode in the app the SSL public key(s) to be expected to be used by the app’s server(s) lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=
  • 9. SSL Reporting • Send a report whenever an SSL error occurred • Default/OS SSL validation error • Name mismatch, expired certificate, untrusted CA, etc. • TrustKit Pinning validation error • Pinned SSL key not found in the server’s chain App Server
  • 10. SSL Reporting { "app-bundle-id": "com.datatheorem.testtrustkit", "app-version": “1.2", "app-vendor-id": "599F9C00-92DC-4B5C-9464-7971F01F8370", "app-platform": "IOS", "trustkit-version": “1.5.3", "hostname": "www.datatheorem.com", "port": 443, "noted-hostname": "datatheorem.com", "include-subdomains": true, "enforce-pinning": true, "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2015-06-08T01:58:05Z", "known-pins": [ "pin-sha256="rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="", "pin-sha256="TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY="" ], "validation-result": 1 }
  • 11. SSL Reporting • TrustKit can be configured to send the reports to any domain • Data Theorem hosts one for free that developers can leverage • Dashboard to see trends and inspect individual reports • Notifications for when something unexpected happens • Suspicious actor, spike in reports, etc.
  • 12. Demo
  • 13. Data Set and Report Classification
  • 14. The Data Set • From nearly 2 000 different apps • Banking • Shopping • Music/streaming • News Top Platform iOS 93.3% Android 5.3% macOS 1% tvOS 0.4%
  • 15. The Data Set Top Countries US 71% GB 9.5% TW 7.3% CA 1.8% HK 1.3%
  • 16. The Data Set • 3.3 million unique certificate chains • 78% of the certificates matched the hostname • Actual interception attempts Certificate chain depth 2 62.2% 3 24% 1 11.4% 4 1.8% 5 0.5% 6 0.001%
  • 17. Report Classification • Use different heuristics to try to find the root cause • By looking at the content of the report, mainly the certificate chain • Save some metadata along with the server date • Contact the server for the hostname that was in the report, to fetch its “real” certificate chain
  • 18. Report Classification • Perform default SSL validation on the certificate chain • Leverage a set of rules that can target: • A specific certificate or a specific public key • Any certificate fields (Common Name, etc.)
  • 19. Report Classification dev_tools: PortSwigger: root: - 'PortSwigger CA' Fiddler: root: - 'DO_NOT_TRUST_FiddlerRoot' Charles Proxy: root: - !regexp '^Charles Proxy Custom Root Certificate (built on .+)$' - !regexp '^Charles Proxy CA (.+)$' mitmproxy: root: - 'mitmproxy' […]
  • 20. Report Classification { "app-bundle-id": “com.datatheorem.corporate_proxy", "hostname": "www.datatheorem.com", “validated-certificate-chain”: [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": “…", raw report
  • 21. { "app-bundle-id": “com.datatheorem.corporate_proxy", "hostname": "www.datatheorem.com", “validated-certificate-chain”: [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": “…", Report Classification raw report
  • 22. { "app-bundle-id": “com.datatheorem.corporate_proxy", "hostname": "www.datatheorem.com", “validated-certificate-chain”: [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": “…", Report Classification raw report "…": […], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", “-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "received_at”: “2017-03-03T21:27:25Z", } report metadata
  • 23. { "app-bundle-id": “com.datatheorem.corporate_proxy", "hostname": "www.datatheorem.com", “validated-certificate-chain”: [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": “…", Report Classification raw report "…": […], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", “-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "received_at”: “2017-03-03T21:27:25Z", } report metadata !=
  • 24. Report Classification { "app-bundle-id": “com.datatheorem.corporate_proxy", "hostname": "www.datatheorem.com", “validated-certificate-chain”: [ "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[…]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": “…", { "certificate_chain_infos": [ {"issuer": {"common_name":"Fortigate CA", “…": […], raw report certificate chain info
  • 25. Report Classification flagged for manual review corporate_appliance: Cisco Umbrella: url: 'https://umbrella.cisco.com/' root: - 'Cisco Umbrella Primary SubCA' […] { "certificate_chain_infos": [ {"issuer": {"common_name":"Fortigate CA", “…": […], certificate chain info classifier ruleset
  • 26. Report Classification corporate_appliance / Fortinet corporate_appliance: […] Fortinet: leaf: - !IssuerCommonName 'FortiGate CA' […] { "certificate_chain_infos": [ {"issuer": {"common_name":"Fortigate CA", “…": […], certificate chain info classifier ruleset
  • 29. Classification Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Captive Portals 11% Not Reviewed Yet 6% Server Misconfig 4.3% Corp Networks 2.2% Unknown 2.5% Client Clock Misconfig 0.5% Dev Artifacts 0.5%
  • 30. Non-Mitm Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconfig 0.5% Server Misconfig 4.3%
  • 31. Non-Mitm Categories 9 195 807 reports Server Misconfig 4.3%
  • 32. Server Misconfiguration • Category for servers with expired SSL certificates • Huge spike of report when a certificate deployed in production expired:
  • 33. Non-Mitm Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconfig 0.5% Server Misconfig 4.3%
  • 34. Previous Work • Data from Chrome desktop for google.com:
  • 35. Non-Mitm Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconfig 0.5% Server Misconfig 4.3%
  • 36. Classification Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Captive Portals 11% Not Reviewed Yet 6% Server Misconfig 4.3% Corp Networks 2.2% Unknown 2.5% Client Clock Misconfig 0.5% Dev Artifacts 0.5%
  • 37. Mitm Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Dev Artifacts 0.5% Corp Networks 2.2%
  • 38. Mitm Categories 9 195 807 reports Dev Artifacts 0.5%
  • 40. Mitm Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Dev Artifacts 0.5% Corp Networks 2.2%
  • 41. Mitm Categories 9 195 807 reports Corp Networks 2.2%
  • 43. Corporate Networks • For servers with a 2048 RSA certificate, what is the size of the middlebox’s certificate? Middlebox Downgrade 158 375 reports 2048-bit 68% 1024-bit 29% 2432-bit 1.9% 4096-bit 1.1% 512-bit 0.14% • 29% of reports showed a downgrade to RSA 1024 or less • TLS 1.3: big debate around encryption VS inspection
  • 44. Mitm Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Dev Artifacts 0.5% Corp Networks 2.2%
  • 45. Mitm Categories 9 195 807 reports Pins Misconfig 34%
  • 46. Pins Misconfiguration • The SSL pins hardcoded in the app do not match the server’s “real" certificate chain! • With enforce-pinning disabled: • The app still works but is constantly sending reports • With enforce-pinning enabled: • The app’s connections will always fail
  • 47. Pins Misconfiguration • 22% of apps with misconfigured SSL pins • Pressure on mobile developers to implement SSL pinning in their apps • From security teams, bug bounties, etc. • But most apps do not need it • Significant logistical overheard to keep pins in the app in sync with the server SSL keys
  • 50. “Several thousands of customers of small and medium-sized businesses, operating mostly in the UK market, will not be able to perform any transactions from 8.30 a.m. 25/11/16 on a "Black Friday" and during the holiday shopping period. This will affect hundreds of thousands of customer's transactions, until the application is updated, and then released again.”
  • 51. Mitm Categories 9 195 807 reports Spyware 39% Pins Misconfig 34% Dev Artifacts 0.5% Corp Networks 2.2%
  • 52. Mitm Categories 9 195 807 reports Spyware 39%
  • 53. Spyware Categories Market Intelligence
 3 580 078 reports Ad Blocker
 18 463 reports Parental Control
 10 820 reports
  • 54. Spyware Categories Market Intelligence
 3 580 078 reports MobileXpression 91% Digital Reflection 4% Verto Analytics 3.3% Luth 1.4% AnalyzeMe 0.3% Ad Blocker
 18 463 reports Parental Control
 10 820 reports
  • 55. Spyware - Market Intel • Mainly investigated MobileXpression and Digital Reflection • Common Name of the intercepting root/CA certificate • Large number of reports across ~20 000 devices • Only seen on iOS devices
  • 57. Demo
  • 60. What Happened? • A configuration profile was installed on the device • With an always-on VPN config • To route all traffic through the MobileXpression server • With a custom root CA added to the device’s trust store • To allow traffic decryption by the MobileXpression server MobileXpression VPN App Server
  • 61. MobileXpression? “MobileXpression is a service of comScore, Inc., a global leader in measuring the digital world, providing insights into consumer behavior and attitudes.”
  • 62. ComScore • Owner of several “market research” apps • MobileXpression, Digital Reflection • Promise users rewards (gif cards, etc.) for installing the app and configuration profile
  • 63. ComScore • Owner of several “market research” apps • MobileXpression, Digital Reflection • Promise users rewards (gif cards, etc.) for installing the app and configuration profile
  • 64. ComScore “This capability is based on a massive, global cross-section of approximately 2 million consumers, who have allowed comScore to collect their online browsing, hardware and application usage, and purchasing behavior.”
  • 65. ComScore • Inspect/decrypt all the users’ traffic to measure app usage • ComScore’s business model as a "measurement company”
  • 66. Spyware - Market Intel • Configuration profiles are problematic • Highly technical security warnings when installing the profile • The profile/VPN does not get uninstalled when removing the app • Makes sense from a technical perspective but will confuse users • But not an easy issue to fix • Corporate enrollment / MDM use case • A profile can be installed directly via Safari • Banning the spyware app from the store does not prevent it
  • 67. Spyware Categories Market Intelligence
 3 580 078 reports Ad Blocker
 18 463 reports Parental Control
 10 820 reports
  • 68. Spyware Categories Market Intelligence
 3 580 078 reports Parental Control
 10 820 reports Ad Blocker
 18 463 reports Defend My WiFi 59% AdBl0ck 34% AdGuard 7%
  • 69. Spyware - Ad Blocker • Similar technical implementation with a VPN and custom CA • Defend My WiFi • "Automatically turns public Wi-Fi into safe and secure private WiFi” • Company does not exist anymore? • Adblock Mobile • iOS 8: SSL mitm on ad domains only • iOS 9+: No more custom CA installed
  • 70. Spyware Categories Market Intelligence
 3 580 078 reports Ad Blocker
 18 463 reports Parental Control
 10 820 reports
  • 71. Spyware Categories Market Intelligence
 3 580 078 reports Ad Blocker
 18 463 reports Parental Control
 10 820 reports Qustodio 74% Accountable2You 24% Circle Go 2%
  • 72. Spyware - Parental Control • Qustodio, Accountable2You, Circle Go • Parental control/monitoring tools
  • 74. What did we see? • Traffic interception does happen, and for many reasons • It has an impact on the security of the connection • Usually not malicious • Employers • Users “willingly” sharing their data for a reward • No visible move from Apple and Google on this
  • 75. What do we do? • Which group does your app belong to? • It is acceptable to expose the user’s data to “lawful interception” (such as the user’s employer) • Games, Business apps • The user’s data is private and can never be exposed • Mobile banking • Can be technically enforced via SSL pinning
  • 76. What do we do? • More options on mobile compared to the web • SSL reporting can help understand what is happening across your user base • SSL pinning can be used for sensitive apps • Does not prevent reverse-engineering of your app • Significant burden and risk of catastrophic failure • Must be decided and planned carefully