Dima Kovalenko - Modern SSL Pinning

OWASP Kyiv
OWASP Kyiv
Mar. 4, 2018
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
1 of 19

Dima Kovalenko - Modern SSL Pinning

Mar. 4, 2018
Download to read offline
Technology

Dima Kovalenko - Modern SSL Pinning

OWASP Kyiv
OWASP Kyiv

Recommended

Email attachmentsEmail attachments
Email attachmentsgmyles195 views10 slides
Passwords protectionPasswords protection
Passwords protectionAndrei Angelescu ⚽️💡176 views7 slides
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Stanfy7.1K views65 slides
Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)
Ensafer Presentation at NSM's Security Conference 2014 in Oslo (Norway)Terje Wold489 views11 slides
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for WebsitesTony Perez630 views59 slides
10 Ways to Prevent Information Security Incidents10 Ways to Prevent Information Security Incidents
10 Ways to Prevent Information Security IncidentsEchoworx83 views1 slide

More Related Content

Similar to Dima Kovalenko - Modern SSL Pinning

Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest6.4K views49 slides
Web API SecurityWeb API Security
Web API SecurityStefaan 1.3K views38 slides
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft1.4K views64 slides
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest9.1K views54 slides
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)2.9K views45 slides
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureBrian Ritchie3.3K views27 slides

Similar to Dima Kovalenko - Modern SSL Pinning(20)

Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
iphonepentest6.4K views
Web API SecurityWeb API Security
Web API Security
Stefaan 1.3K views
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
Sperasoft1.4K views
iOS application (in)securityiOS application (in)security
iOS application (in)security
iphonepentest9.1K views
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)2.9K views
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Brian Ritchie3.3K views
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE405 views
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
Sophos Benelux1.7K views
UL TS - CSA NL SUMMITUL TS - CSA NL SUMMIT
UL TS - CSA NL SUMMIT
Angelo D'Amato284 views
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
Alex Senkevitch54 views
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
Sébastien GIORIA1.7K views
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
Birju Tank3.4K views
Keychain Services Programming GuideKeychain Services Programming Guide
Keychain Services Programming Guide
DEVTYPE2.7K views
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions1.5K views
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
Jared Roberts7.5K views
Secure Your Mobile Content!Secure Your Mobile Content!
Secure Your Mobile Content!
Mike Brannon480 views
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanisms
Dario Caliendo3K views
iPhone Apple iOS backdoors attack-points surveillance mechanismsiPhone Apple iOS backdoors attack-points surveillance mechanisms
iPhone Apple iOS backdoors attack-points surveillance mechanisms
Mariano Amartino38.5K views
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Dev...
Webrazzi2K views
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network Operators
Deploy360 Programme (Internet Society)1.2K views

More from OWASP Kyiv

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...OWASP Kyiv246 views34 slides
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиOWASP Kyiv197 views21 slides
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv153 views31 slides
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonOWASP Kyiv600 views12 slides
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...OWASP Kyiv693 views79 slides
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101OWASP Kyiv466 views17 slides

More from OWASP Kyiv(20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv246 views
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv197 views
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv153 views
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv600 views
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv693 views
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv466 views
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv2.4K views
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv432 views
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv362 views
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
OWASP Kyiv590 views
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv344 views
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv815 views
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
OWASP Kyiv343 views
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
OWASP Kyiv1.1K views
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv647 views
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
OWASP Kyiv1.5K views
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv636 views
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv412 views
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
OWASP Kyiv370 views
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
OWASP Kyiv548 views

Recently uploaded

Common - Concerns Around OpenAI.pptxCommon - Concerns Around OpenAI.pptx
Common - Concerns Around OpenAI.pptxAlok Ranjan51 views12 slides
#11 DataWeave Extension Library using Visual Studio Code#11 DataWeave Extension Library using Visual Studio Code
#11 DataWeave Extension Library using Visual Studio CodeAnoopRamachandran1379 views25 slides
AWS Toolkit.pptxAWS Toolkit.pptx
AWS Toolkit.pptxBrandon Minnick, MBA54 views19 slides
Graph Neural Networks.pptxGraph Neural Networks.pptx
Graph Neural Networks.pptxKumar Iyer19 views30 slides
Welcome and State of Apache CloudStack CommunityWelcome and State of Apache CloudStack Community
Welcome and State of Apache CloudStack CommunityShapeBlue149 views12 slides
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptxSnehaAggarwal40119 views20 slides

Recently uploaded(20)

Common - Concerns Around OpenAI.pptxCommon - Concerns Around OpenAI.pptx
Common - Concerns Around OpenAI.pptx
Alok Ranjan51 views
#11 DataWeave Extension Library using Visual Studio Code#11 DataWeave Extension Library using Visual Studio Code
#11 DataWeave Extension Library using Visual Studio Code
AnoopRamachandran1379 views
AWS Toolkit.pptxAWS Toolkit.pptx
AWS Toolkit.pptx
Brandon Minnick, MBA54 views
Graph Neural Networks.pptxGraph Neural Networks.pptx
Graph Neural Networks.pptx
Kumar Iyer19 views
Welcome and State of Apache CloudStack CommunityWelcome and State of Apache CloudStack Community
Welcome and State of Apache CloudStack Community
ShapeBlue149 views
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptx
SnehaAggarwal40119 views
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdfDiogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
DiogoMonteiro78696022 views
FewShotExamples.pptxFewShotExamples.pptx
FewShotExamples.pptx
Alok Ranjan20 views
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a MigrationNoSQL Database Migration Masterclass - Session 2: The Anatomy of a Migration
NoSQL Database Migration Masterclass - Session 2: The Anatomy of a Migration
ScyllaDB31 views
An Introduction To Using ChatGPT For BusinessAn Introduction To Using ChatGPT For Business
An Introduction To Using ChatGPT For Business
Paul Nguyen56 views
dvss.pptdvss.ppt
dvss.ppt
SaikrishnaCheruvu1354 views
AI and ML Series - Generative Extraction and Classification of Documents in S...AI and ML Series - Generative Extraction and Classification of Documents in S...
AI and ML Series - Generative Extraction and Classification of Documents in S...
DianaGray1067 views
How SACCOs can increase their memberships AD_compressed (1).pdfHow SACCOs can increase their memberships AD_compressed (1).pdf
How SACCOs can increase their memberships AD_compressed (1).pdf
CoretecDigital75 views
GDSC INFO.pptxGDSC INFO.pptx
GDSC INFO.pptx
AshishChanchal136 views
Info Session GDSC Mepco Sechenk Chapter.pptxInfo Session GDSC Mepco Sechenk Chapter.pptx
Info Session GDSC Mepco Sechenk Chapter.pptx
DURAIVIGNESHC15 views
INASLA_AI and Landscape Architecture.pptxINASLA_AI and Landscape Architecture.pptx
INASLA_AI and Landscape Architecture.pptx
Jonathon Geels66 views
NTGapps DTB Platform.pdfNTGapps DTB Platform.pdf
NTGapps DTB Platform.pdf
Mustafa Kuğu165 views
Generative AI PotentialGenerative AI Potential
Generative AI Potential
Kapil Khandelwal (KK)25 views
Stanford AI Report 2023Stanford AI Report 2023
Stanford AI Report 2023
Kapil Khandelwal (KK)19 views
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
Alex Pruden17 views

Dima Kovalenko - Modern SSL Pinning

  1. Modern SSL Pinning in iOS system & applications Dima Kovalenko Dec 2, 2017 OWASP Kyiv 2017

  2. Agenda 1. Seasons in the sun 2. Smelly breath of SSL 3. SSL pinning versus SSLKillSwitch 4. Modern techniques to sniff/prevent sniffing SSL traffic 5. Summary

  3. Seasons in the sun From the beginning of the iPhone era to 2010: ● HTTP everywhere ● HTTPs is a very rare beast ● Any HTTP sniffer can see applications’ traffic Life is good!

  4. Seasons in the sun Apple AppStore traffic in 2009

  5. Seasons in the sun Apple AppStore traffic in 2009

  6. Smelly breath of SSL Starting from 2010, more and more iOS apps use SSL. However: ● HTTP protocol is still widely used (now over SSL) ● iOS applications trust system certificate storage It looks like SSL is used mostly to prevent MitM-attacks (stealing passwords, cookies etc) that prevent sniffing traffic from your own device.

  7. Smelly breath of SSL In 2010, the way to bypass SSL is simple: 1. Generate an SSL certificate 2. Add the certificate to iOS system storage 3. Use the certificate in your sniffer

  8. Smelly breath of SSL Numerous instructions how to do it

  9. SSL pinning versus SSLKillSwitch SSL certificate pinning is widely used since about 2012. 1. HTTP is still the core protocol for many iOS apps, but... 2. ...the apps do not trust system certificate storage anymore!

  10. SSL pinning versus SSLKillSwitch So 1. Any app has it’s own “per-app” certificate storage. 2. There is no common implementation of the “per-app” storages (iOS apps hardcode certificates, keep certificates in external files, request certificates on first start and save to app bundle settings etc). 3. There is no common way to sniff SSL traffic anymore!

  11. SSL pinning versus SSLKillSwitch In July 2012, Alban “nabla” Diquet saves all! His research shows that 1. Most of iOS apps (and even iOS itself) use the same system function to check certificate 2. The functions can be hooked/patched to make any certificate valid

  12. SSL pinning versus SSLKillSwitch The nabla’s tool, called SSLKillSwitch, is a MobileSubstrate extension. It hooks 3 important iOS SSL stack functions: ● SSLSetSessionOption(...) ● SSLCreateContext(...) ● SSLHandshake(...) Of course, SSLKillSwitch is not the only tool of this kind, but I believe it’s first and most used.

  13. <!-- DEMO1: SSLKillSwitch against YouTube --> SSL pinning versus SSLKillSwitch

  14. Modern techniques to sniff/prevent sniffing SSL traffic In 2016, iOS app developers start to implement custom SSL validation techniques. The techniques include numerous features, e.g. 1. Pinning public keys (SubjectPublicKeyInfo (SPKI)) vs. certificate pinning 2. Client-side certificates 3. iOS SSL stack functions integrity check… 4. ...and so on SSLKillSwitch and similar tools are not the absolute weapon against SSL pinning anymore!

  15. Modern techniques to sniff/prevent sniffing SSL traffic <!-- DEMO2: hook SSLRead/SSLWrite and sniff Apple Push traffic -->

  16. Modern techniques to sniff/prevent sniffing SSL traffic <!-- DEMO3: patch Instagram openssl-based embedded SSL framework and sniff the traffic -->

  17. Summary Everything is bad!

  18. QUESTIONS?

  19. Twitter: @kov4l3nko Mail: kov4l3nko@gmail.com Blog: https://kov4l3nko.github.io