mobile ssl failure mobile ssl failure
play

(Mobile SSL Failure (Mobile SSL Failure Stardate: 92492.76 Who are - PowerPoint PPT Presentation

Nov 12, 2023 •471 likes •1.17k views

(Mobile SSL Failure (Mobile SSL Failure Stardate: 92492.76 Who are these guys? Who are these guys? Penetration Testers at LinkedIn Tony Trummer - Staff Security Engineer aka SecBro Tushar Dalvi - Sr. Security Engineer & Pool Hustler

  1. (Mobile SSL Failure (Mobile SSL Failure Stardate: 92492.76

  2. Who are these guys? Who are these guys? Penetration Testers at LinkedIn Tony Trummer - Staff Security Engineer aka “SecBro” Tushar Dalvi - Sr. Security Engineer & Pool Hustler

  3. A Private Little War Our employer generally does not have prior Our employer generally does not have prior knowledge of, condone, support or otherwise knowledge of, condone, support or otherwise endorse our research endorse our research

  4. The Menagerie The Menagerie { Apps are mash-ups of native and web code { Java, Objective C, Swift, etc. { Developers control app security settings

  6. Basics Basics TLS provides several security features { Encryption { Authenticity { Integrity In apps, unlike browsers, whether you see a certificate warning is up to the app developer.

  7. Wolf in the Fold Wolf in the Fold { TLS is really the ONLY protection against Man-in-the middle (MitM) attacks { MitM is significantly easier to exploit against mobile devices Sprechen sie TLS?

  8. Tomorrow Is Yesterday Tomorrow Is Yesterday Before dismissing the idea of large- scale or supply-chain attacks... { Recent reports of pre-installed trojans on low-end Android devices { In 2013, Nokia was found to be performing MitM on customer traffic, reportedly for performance reasons { In 2013, reports surfaced claiming that the NSA and GCHQ (“Flying Pig”) were actually performing real- world MitM attacks

  9. The Immunity Syndrome The Immunity Syndrome Infosec folks often roll their eyes when they read statements on sites or in apps that tout TLS use and how big their keys are

  10. Journey to Babel Journey to Babel One night, after a few drinks, we decided to test some apps, starting with proxying their web requests

  11. Into Darkness Into Darkness

  12. Damn it, Jim! Damn it, Jim!

  13. First aspect of certificate First aspect of certificate validation validation The app or OS must verify the certificate is cryptographically signed by the private key of a Certificate Authority that is pre-trusted

  14. Forget Something? Forget Something? The app developers had disabled Certificate Authority validation Tony Tushar

  15. A Taste of Armageddon A Taste of Armageddon

  16. The Trouble The Trouble with Tribbles with Tribbles

  17. Testing for CA validation Testing for CA validation { Configure device to use proxy { Configure BurpSuite's proxy listener to “Generate a CA-signed per-host certificate” { DO NOT install the proxy's CA certificate on the test device { Verify you see a certificate warning in the native mobile browser { Step through each section of the app { If you see HTTPS traffic, in Burpsuite, the app failed

  18. Second aspect of Second aspect of validation validation Does the Subject Common or Alternative name match the hostname of the site you're visiting?

  19. By any other name By any other name

  20. Testing for proper Testing for proper hostname validation hostname validation { Obtain a valid certificate for any domain other than the target, signed by a CA the device already trusts { Configure your device to use a proxy { Configure proxy listener settings to “Use a custom certificate” { Verify you see a certificate warning in the native mobile browser { Step through each section of the mobile app { If you see HTTPS traffic, the app failed

  21. The Naked Time The Naked Time { Credit card numbers (RockBot) { Passwords, session cookies, etc.

  22. Dagger of the mind Dagger of the mind { Unencrypted credit card information { Tier 1 PCI merchant { 10 million+ installations

  23. Court Martial Court Martial FTC vs. Fandango & Credit Karma { One of the major flaws cited in the suit was failure to validate SSL certificates on mobile applications { Agreed to “establish comprehensive security programs” { Agreed to “undergo independent security assessments every other year for 20 years” { Scolded publicly for not keeping “their privacy promises to consumers”

  25. SSL session caching SSL session caching { During the initial handshake the certificate is validated { Subsequent client requests re-use the previous handshake and do not re-validate the certificate

  26. The Enemy Within The Enemy Within How would a bad guy get my phone? Why is it more likely on mobile?

  27. Patterns of Force Patterns of Force If I have physical access, couldn't I just... { Install malicious app { Access your data

  28. Turnabout Intruder Turnabout Intruder Since SSL session caching only checks the certificate once, you only need it on the device for as long it takes you to make the first connection, after which you can delete it

  29. The City on the The City on the Edge of Forever Edge of Forever { Server decides how long to accept the cached session { In other words, the bad guy gets to decide how long to accept the cached session... { We refer to this feature as “EverPWN”

  31. Shields Up! Shields Up! { Review your code { Implement policy { Test pre-release { Train developers

  32. Shields Up! Shields Up! { Review your code In Android, investigate these: { TrustManager { SSLSocket { SSLSocketFactory getInsecure { HostNameVerifier In iOS, investigate these areas: { _AFNETWORKING_ALLOW _INVALID_SSL_CERTIFICATES_ { SetAllowsAnyHTTPSCertificate { kCFStreamSSLAllowsAnyRoot

  33. Shields Up! Shields Up! { Certificate Pinning { Dev and prod signing certificates are required to be different in both iOS and Android { Build a trust manager that only allows certificate validation to be disabled in dev builds.

  34. Live Long and Prosper Live Long and Prosper Contact and testing instructions: http://www.secbro.com Tony Trummer: http://www.linkedin.com/in/tonytrummer @SecBro1 Tushar Dalvi: http://www.linkedin.com/in/tdalvi @TusharDalvi R.I.P Reggie Destin

  35. (Mobile SSL Failure (Mobile SSL Failure Stardate: 92492.76 All right people, our presentation is on the topic of mobile SSL failures. We are really excited to be here at DeepSec and this is my second talk ever at a security conference. Our plan, is to showcase, in the next 45 mins or so, some of the systemic issues we found in popular mobile applications and operating systems. Also, we will be presenting a lesser known technique of achieving almost undetectable and persistent man-in-the-middle capabilities in certain iOS and Android applications during this presentation.

  36. Who are these guys? Who are these guys? Penetration Testers at LinkedIn Tony Trummer - Staff Security Engineer aka “SecBro” Tushar Dalvi - Sr. Security Engineer & Pool Hustler So a little bit about our background...I am Tushar Dalvi, I have with me, Tony Trummer, we are both Security Engineers at LinkedIn, responsible for penetration testing and vulnerability research, but like most security folks, we spend most of our time herding cats. Previously, I worked at McAfee as a Penetration tester, after getting my Masters Degree from John Hopkins in Security Informatics. Tony, is a serial drop-out, comes from a military and networking background and has nearly 20 years experience in IT.

  37. A Private Little War Our employer generally does not have prior Our employer generally does not have prior knowledge of, condone, support or otherwise knowledge of, condone, support or otherwise endorse our research endorse our research Just to be clear, this presentation is purely part of our personal research work, and our opinion does not necessarily reflect the views of our employer.

  38. The Menagerie The Menagerie { Apps are mash-ups of native and web code { Java, Objective C, Swift, etc. { Developers control app security settings Alright, the premise of this presentation, is that mobile applications have come a long way and offer so much more control to the developer to define their behavior. In most cases, an application would be written for several different platforms; You have iOS, Android, Windows Phone and so on. Of the problem apps we'll show, most were Android, there were a few for iOS, but surprisingly, we didn't find any on the Windows Phone. Since each one of these platforms have differences in the way they can do the exact same thing, the developers need to have a clear understanding of the implications that come with this flexibility, when trying to implement features across different platforms. This is especially important, when it comes to security controls, such as TLS...

  39. We don't normally mention George Lucas in a Star Trek presentation...but when we do it's Georg Lukas (CLICK), who presented just yesterday at DeepSec and how many of the issues he was warning about, actually have already manifested themselves as vulnerabilities in popular mobile applications. Since many of you may have attended that talk, or are otherwise already familiar with SSL, we'll just quickly touch on the basics..

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Safe Community Imagery Mobile Presented by Jeff Hughes and Renee Bernstein Data Fraud Failure

Safe Community Imagery Mobile Presented by Jeff Hughes and Renee Bernstein Data Fraud Failure

Big Data Real-Time A Smart Community is a Mapping Data Management Safe Community Imagery Mobile Presented by Jeff Hughes and Renee Bernstein Data Fraud Failure of National Governance Failure of Climate- Spread of Access to Change

814 views • 54 slides
Co-design of a mobile health app for heart failure: Perspectives from the team. Lee Woods , Erin

Co-design of a mobile health app for heart failure: Perspectives from the team. Lee Woods , Erin

Co-design of a mobile health app for heart failure: Perspectives from the team. Lee Woods , Erin Roehrer, Jed Duff, Kim Walker and Elizabeth Cummings PhD in the School of Nursing & ACHI Fellowship by Training Candidate utas.edu.au August

422 views • 18 slides
Health Failure Telehealth Final Report Sarah Briggs Heart Failure Specialist Nurse Heart Failure

Health Failure Telehealth Final Report Sarah Briggs Heart Failure Specialist Nurse Heart Failure

Health Failure Telehealth Final Report Sarah Briggs Heart Failure Specialist Nurse Heart Failure Heart failure is a life limiting condition with outcomes worse than most cancers Heart failure is manifested by severe symptoms and the

775 views • 22 slides
Failure is a four-letter word Andreas Zeller Thomas Zimmermann Christian Bird PROMISE

Failure is a four-letter word Andreas Zeller Thomas Zimmermann Christian Bird PROMISE

Failure is a four-letter word Andreas Zeller Thomas Zimmermann Christian Bird PROMISE 2011, Banff, Canada Software failures 2 Defect distributions 3 Failure causes 4 Failure causes 5 Failure causes 6 Failure causes 7 Failure

1.16k views • 76 slides
MOBILE ADVERTISING Agenda Get off to a mobile start with Media Impact! Why mobile? MI

MOBILE ADVERTISING Agenda Get off to a mobile start with Media Impact! Why mobile? MI

MOBILE ADVERTISING Agenda Get off to a mobile start with Media Impact! Why mobile? MI Portfolio Mobile programmatic Mobile targeting Mobile formats Specials 2 Mobile Advertising @ MI WHY MOBILE? Traffic shift to the mobile web

862 views • 30 slides
Management of Co- morbidities in Heart Failure (COPD, Renal failure, Anemia) Dr John Parissis,

Management of Co- morbidities in Heart Failure (COPD, Renal failure, Anemia) Dr John Parissis,

Management of Co- morbidities in Heart Failure (COPD, Renal failure, Anemia) Dr John Parissis, Heart Failure Unit, Attikon University Hospital, Athens, Greece Prevalence of Non-cardiac Comorbidity In Chronic Heart Failure Braunstein et al

717 views • 70 slides
PALLIATIVE CARE Advanced heart failure Heart failure has a poor prognosis Heart failure

PALLIATIVE CARE Advanced heart failure Heart failure has a poor prognosis Heart failure

PALLIATIVE CARE Advanced heart failure Heart failure has a poor prognosis Heart failure mortality remains unacceptably high. 30-40% of patients die within the first year of diagnosis(Cowie et al, 2000; Hobbs et al, 2007). 1 year

381 views • 17 slides
HEART FAILURE S Y M P T O M S A N D T R E A T M E N T B Y K E R R Y M O R T O N H F S N

HEART FAILURE S Y M P T O M S A N D T R E A T M E N T B Y K E R R Y M O R T O N H F S N

ACUTE DECOMPENSATING HEART FAILURE S Y M P T O M S A N D T R E A T M E N T B Y K E R R Y M O R T O N H F S N ACUTE HEART FAILURE DEFINITION The new onset or recurrence of symptoms and signs of heart failure requiring urgent or

1.01k views • 22 slides
Take the Top Spot by Transforming IT 157 157 Failure itself is not fatal, but failure to

Take the Top Spot by Transforming IT 157 157 Failure itself is not fatal, but failure to

Take the Top Spot by Transforming IT 157 157 Failure itself is not fatal, but failure to change might be. Legendary basketball coach John Wooden Transformation is the only way to take the top spot Transformed organizations:

387 views • 17 slides
Heart Failure with Preserved Ejection Fraction Advances in Heart Failure CME Course Jonathan D

Heart Failure with Preserved Ejection Fraction Advances in Heart Failure CME Course Jonathan D

Heart Failure with Preserved Ejection Fraction Advances in Heart Failure CME Course Jonathan D Davis, MD, MPHS Director, Heart Failure Program Assistant Clinical Professor | Division of Cardiology Zuckerberg San Francisco General Hospital

595 views • 26 slides
ABSENCE: Usage-based Failure Detection in Mobile Networks Binh Nguyen , Zihui Ge, Jacobus Van der

ABSENCE: Usage-based Failure Detection in Mobile Networks Binh Nguyen , Zihui Ge, Jacobus Van der

ABSENCE: Usage-based Failure Detection in Mobile Networks Binh Nguyen , Zihui Ge, Jacobus Van der Merwe, He Yan, Jennifer Yates Mobicom 2015 1 Silent failures EPC core core RAN 2 Silent failures EPC core core RAN Silent failures:

128 views • 12 slides
Failure is not a four-letter word: Learning to embrace failure in our libraries. Hi! Hello I am

Failure is not a four-letter word: Learning to embrace failure in our libraries. Hi! Hello I am

Failure is not a four-letter word: Learning to embrace failure in our libraries. Hi! Hello I am Dayna DeBenedet I am the CEO of the Dryden Public Library, a quilting fanatic, and a podcast enthusiast. You can find me at @librarianishly.

546 views • 35 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
FUN FAILURE How positive failure feedback could enhance the instructional effectiveness of CALL

FUN FAILURE How positive failure feedback could enhance the instructional effectiveness of CALL

Seeking out FUN FAILURE How positive failure feedback could enhance the instructional effectiveness of CALL mini-games Frederik CORNILLIE & Piet DESMET http://takelessons.com/blog/wp-content/uploads/2012/05/piano2.jpg It is a piece of

700 views • 41 slides
Kolton Andrus (@deelyle) Overview 1. Why is Failure Testing Important? 2. How did we build

Kolton Andrus (@deelyle) Overview 1. Why is Failure Testing Important? 2. How did we build

Kolton Andrus (@deelyle) Overview 1. Why is Failure Testing Important? 2. How did we build Failure as a Service? 3. How has this made our systems more resilient? Why Failure Testing? 1. Makes our systems immune to failure 2. Prevents larger

597 views • 38 slides
0 to 100 Real Quick Learning from Failure Learning from Failure Learning from

0 to 100 Real Quick Learning from Failure Learning from Failure Learning from

0 to 100 Real Quick Learning from Failure Learning from Failure Learning from Failure - Get approved by Apple - Do as much work for the user as possible Version 1.0 - Frustration w/ Twitter Version 1.0 - Frustration w/

625 views • 37 slides
Updated with CPA#2 Status Successful completion of the first CPA/FC proto 1 Dec 5, 2017

Updated with CPA#2 Status Successful completion of the first CPA/FC proto 1 Dec 5, 2017

CPA/FC#1-Observations- Ready for CPA#2 Vic Guarino William Miller Diamanto Smargianaki Bo, Steve, Frank & Jerry and a cast of others 18 November, 2017 Updated with CPA#2 Status Successful completion of the first CPA/FC proto 1 Dec

122 views • 8 slides
Prof. Sameer Singh CS 175: PROJECTS IN AI (IN MINECRAFT) WINTER 2017 April 6, 2017 Upcoming

Prof. Sameer Singh CS 175: PROJECTS IN AI (IN MINECRAFT) WINTER 2017 April 6, 2017 Upcoming

Prof. Sameer Singh CS 175: PROJECTS IN AI (IN MINECRAFT) WINTER 2017 April 6, 2017 Upcoming Check out course webpage and schedule Check out Canvas, especially for deadlines Misc. Do the survey by tomorrow, April 7, 2017

630 views • 44 slides
Functions with Parameters and Arguments We are using a lot of new files today, and we'll make a

Functions with Parameters and Arguments We are using a lot of new files today, and we'll make a

Functions with Parameters and Arguments We are using a lot of new files today, and we'll make a central folder to contain all of them. On the Windows desktops, double click on your student folder (there should be a link on the desktop

505 views • 38 slides
Global School Health Policies and Practices Survey (G-SHPPS) G-SHPPS Goal Generate

Global School Health Policies and Practices Survey (G-SHPPS) G-SHPPS Goal Generate

Global School Health Policies and Practices Survey (G-SHPPS) G-SHPPS Goal Generate scientifically credible school-level data that describe characteristics of school health policies and practices nationwide G-SHPPS Purpose Help countries

495 views • 12 slides
Comparison of Costello Geomagnetic Activity Index Model and JHU/APL Models for Kp Prediction

Comparison of Costello Geomagnetic Activity Index Model and JHU/APL Models for Kp Prediction

Comparison of Costello Geomagnetic Activity Index Model and JHU/APL Models for Kp Prediction By: David Marchese Mentors: Douglas Biesecker Christopher Balch Outline Background Kp Prediction Costello Geomagnetic Activity Index

292 views • 28 slides
@FfrindIMi Adeiladu Pontydd ar draws y Cenedlaethau Building Bridges across the Generations

@FfrindIMi Adeiladu Pontydd ar draws y Cenedlaethau Building Bridges across the Generations

@FfrindIMi Adeiladu Pontydd ar draws y Cenedlaethau Building Bridges across the Generations Tanya Strange, Associate Director of Nursing Primary and Community Care 11.04.2019 National Strategic Drivers Intergenerational Practice and

351 views • 20 slides
Parametrizations of manifolds with heat kernels, multiscale analysis on graphs, and applications

Parametrizations of manifolds with heat kernels, multiscale analysis on graphs, and applications

Parametrizations of manifolds with heat kernels, multiscale analysis on graphs, and applications to analysis of data sets Mauro Maggioni Mathematics and Computer Science Duke University U.S.C./I.M.I., Columbia, 3/5/08 In collaboration with

350 views • 33 slides
Cattle , Argentina Sha Kibbutz, Israel Military cemetery in Verdun, France Elephants on the

Cattle , Argentina Sha Kibbutz, Israel Military cemetery in Verdun, France Elephants on the

Cattle , Argentina Sha Kibbutz, Israel Military cemetery in Verdun, France Elephants on the savannah, Botswana Ruins of the medieval city of Shali, Egypt Switzerland Gullholmen, Sweden Denver, USA Fraser Island dune, Australia Pena, Portugal

653 views • 36 slides

More recommend