SlideShare a Scribd company logo
1 of 19
Download to read offline
Modern SSL Pinning
in iOS system & applications
Dima Kovalenko
Dec 2, 2017
OWASP Kyiv 2017
Agenda
1. Seasons in the sun
2. Smelly breath of SSL
3. SSL pinning versus SSLKillSwitch
4. Modern techniques to sniff/prevent sniffing SSL traffic
5. Summary
Seasons in the sun
From the beginning of the iPhone era to 2010:
● HTTP everywhere
● HTTPs is a very rare beast
● Any HTTP sniffer can see applications’
traffic
Life is good!
Seasons in the sun
Apple AppStore traffic in 2009
Seasons in the sun
Apple AppStore traffic in 2009
Smelly breath of SSL
Starting from 2010, more and more iOS apps use SSL. However:
● HTTP protocol is still widely used (now over SSL)
● iOS applications trust system certificate storage
It looks like SSL is used mostly to prevent MitM-attacks (stealing
passwords, cookies etc) that prevent sniffing traffic from your own device.
Smelly breath of SSL
In 2010, the way to bypass SSL is simple:
1. Generate an SSL certificate
2. Add the certificate to iOS system storage
3. Use the certificate in your sniffer
Smelly breath of SSL
Numerous instructions how to do it
SSL pinning versus SSLKillSwitch
SSL certificate pinning is widely used since about 2012.
1. HTTP is still the core protocol for many iOS apps, but...
2. ...the apps do not trust system certificate storage anymore!
SSL pinning versus SSLKillSwitch
So
1. Any app has it’s own “per-app” certificate storage.
2. There is no common implementation of the “per-app” storages (iOS apps
hardcode certificates, keep certificates in external files, request certificates on
first start and save to app bundle settings etc).
3. There is no common way to sniff SSL traffic
anymore!
SSL pinning versus SSLKillSwitch
In July 2012, Alban “nabla” Diquet saves all!
His research shows that
1. Most of iOS apps (and even iOS itself) use
the same system function to check certificate
2. The functions can be hooked/patched to
make any certificate valid
SSL pinning versus SSLKillSwitch
The nabla’s tool, called SSLKillSwitch, is a MobileSubstrate extension.
It hooks 3 important iOS SSL stack functions:
● SSLSetSessionOption(...)
● SSLCreateContext(...)
● SSLHandshake(...)
Of course, SSLKillSwitch is not the only tool of this kind, but I believe it’s first and
most used.
<!-- DEMO1: SSLKillSwitch against YouTube -->
SSL pinning versus SSLKillSwitch
Modern techniques to sniff/prevent sniffing SSL traffic
In 2016, iOS app developers start to implement custom SSL validation techniques.
The techniques include numerous features, e.g.
1. Pinning public keys (SubjectPublicKeyInfo (SPKI)) vs. certificate pinning
2. Client-side certificates
3. iOS SSL stack functions integrity check…
4. ...and so on
SSLKillSwitch and similar tools are not the absolute weapon against SSL pinning
anymore!
Modern techniques to sniff/prevent sniffing SSL traffic
<!-- DEMO2: hook SSLRead/SSLWrite and sniff Apple Push traffic -->
Modern techniques to sniff/prevent sniffing SSL traffic
<!-- DEMO3: patch Instagram openssl-based embedded SSL framework and sniff
the traffic -->
Summary
Everything is bad!
QUESTIONS?
Twitter: @kov4l3nko
Mail: kov4l3nko@gmail.com
Blog: https://kov4l3nko.github.io

More Related Content

Similar to Dima Kovalenko - Modern SSL Pinning

Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfHost It Smart
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia PotapenkoFwdays
 
Keychain Services Programming Guide
Keychain Services Programming GuideKeychain Services Programming Guide
Keychain Services Programming GuideDEVTYPE
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Secure Your Mobile Content!
Secure Your Mobile Content!Secure Your Mobile Content!
Secure Your Mobile Content!Mike Brannon
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Webrazzi
 

Similar to Dima Kovalenko - Modern SSL Pinning (20)

iOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdfiOS Application Security And Static Analysis.pdf
iOS Application Security And Static Analysis.pdf
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Differences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdfDifferences to Know Between SSL & TLS certificate .pdf
Differences to Know Between SSL & TLS certificate .pdf
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
UL TS - CSA NL SUMMIT
UL TS - CSA NL SUMMITUL TS - CSA NL SUMMIT
UL TS - CSA NL SUMMIT
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko"Crypto wallets security. For developers", Julia Potapenko
"Crypto wallets security. For developers", Julia Potapenko
 
Keychain Services Programming Guide
Keychain Services Programming GuideKeychain Services Programming Guide
Keychain Services Programming Guide
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
Secure Your Mobile Content!
Secure Your Mobile Content!Secure Your Mobile Content!
Secure Your Mobile Content!
 
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
 

More from OWASP Kyiv

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...OWASP Kyiv
 
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиOWASP Kyiv
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
 
Threat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonOWASP Kyiv
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...OWASP Kyiv
 
Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101OWASP Kyiv
 
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityOWASP Kyiv
 
Ivan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git PushOWASP Kyiv
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingOWASP Kyiv
 
Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?OWASP Kyiv
 
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansOWASP Kyiv
 
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceOWASP Kyiv
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSocketsOWASP Kyiv
 
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017OWASP Kyiv
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorOWASP Kyiv
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsOWASP Kyiv
 
Vlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All LoveOWASP Kyiv
 
Volodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya InvestigationOWASP Kyiv
 
Ihor Bliumental - Collision CORS
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORSOWASP Kyiv
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersOWASP Kyiv
 

More from OWASP Kyiv (20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
 
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 
Threat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
 
Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
 
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
 
Ivan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
 
Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
 
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
 
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
 
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
 
Vlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
 
Volodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
 
Ihor Bliumental - Collision CORS
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 

Dima Kovalenko - Modern SSL Pinning

  • 1. Modern SSL Pinning in iOS system & applications Dima Kovalenko Dec 2, 2017 OWASP Kyiv 2017
  • 2. Agenda 1. Seasons in the sun 2. Smelly breath of SSL 3. SSL pinning versus SSLKillSwitch 4. Modern techniques to sniff/prevent sniffing SSL traffic 5. Summary
  • 3. Seasons in the sun From the beginning of the iPhone era to 2010: ● HTTP everywhere ● HTTPs is a very rare beast ● Any HTTP sniffer can see applications’ traffic Life is good!
  • 4. Seasons in the sun Apple AppStore traffic in 2009
  • 5. Seasons in the sun Apple AppStore traffic in 2009
  • 6. Smelly breath of SSL Starting from 2010, more and more iOS apps use SSL. However: ● HTTP protocol is still widely used (now over SSL) ● iOS applications trust system certificate storage It looks like SSL is used mostly to prevent MitM-attacks (stealing passwords, cookies etc) that prevent sniffing traffic from your own device.
  • 7. Smelly breath of SSL In 2010, the way to bypass SSL is simple: 1. Generate an SSL certificate 2. Add the certificate to iOS system storage 3. Use the certificate in your sniffer
  • 8. Smelly breath of SSL Numerous instructions how to do it
  • 9. SSL pinning versus SSLKillSwitch SSL certificate pinning is widely used since about 2012. 1. HTTP is still the core protocol for many iOS apps, but... 2. ...the apps do not trust system certificate storage anymore!
  • 10. SSL pinning versus SSLKillSwitch So 1. Any app has it’s own “per-app” certificate storage. 2. There is no common implementation of the “per-app” storages (iOS apps hardcode certificates, keep certificates in external files, request certificates on first start and save to app bundle settings etc). 3. There is no common way to sniff SSL traffic anymore!
  • 11. SSL pinning versus SSLKillSwitch In July 2012, Alban “nabla” Diquet saves all! His research shows that 1. Most of iOS apps (and even iOS itself) use the same system function to check certificate 2. The functions can be hooked/patched to make any certificate valid
  • 12. SSL pinning versus SSLKillSwitch The nabla’s tool, called SSLKillSwitch, is a MobileSubstrate extension. It hooks 3 important iOS SSL stack functions: ● SSLSetSessionOption(...) ● SSLCreateContext(...) ● SSLHandshake(...) Of course, SSLKillSwitch is not the only tool of this kind, but I believe it’s first and most used.
  • 13. <!-- DEMO1: SSLKillSwitch against YouTube --> SSL pinning versus SSLKillSwitch
  • 14. Modern techniques to sniff/prevent sniffing SSL traffic In 2016, iOS app developers start to implement custom SSL validation techniques. The techniques include numerous features, e.g. 1. Pinning public keys (SubjectPublicKeyInfo (SPKI)) vs. certificate pinning 2. Client-side certificates 3. iOS SSL stack functions integrity check… 4. ...and so on SSLKillSwitch and similar tools are not the absolute weapon against SSL pinning anymore!
  • 15. Modern techniques to sniff/prevent sniffing SSL traffic <!-- DEMO2: hook SSLRead/SSLWrite and sniff Apple Push traffic -->
  • 16. Modern techniques to sniff/prevent sniffing SSL traffic <!-- DEMO3: patch Instagram openssl-based embedded SSL framework and sniff the traffic -->