More and more mobile applications such as the Chrome, Twitter and card.io apps have started relying on SSL certificate pinning to further improve the security of the application's network communications. Certificate pinning allows the application to authenticate the application's servers without relying on the device trust store. Instead, a white-list of certificates known to be used by the servers is directly stored in the application, effectively restricting the set of certificates the application will accept when connecting to those servers.
While improving the security of end users, not using the device trust store to validate the servers' identity also makes black-box testing of such apps much more challenging. Without access to the application's source code to manually disable certificate validation, the tester is left with no simple options to intercept the application's SSL traffic.
We've been working on a set of tools for both Android and iOS to make it easy to defeat certificate pinning when performing black-box testing of mobile apps.
On iOS, a Mobile Subtrate "tweak" has been developed in order to hook at run-time specific SSL functions performing certificate validation. Using Cydia, the "tweak" can easily be deployed on a jailbroken device, allowing the tester to disable certificate validation for any app running on that device in a matter of minutes.
For Android applications, a custom JDWP debugger has been built to perform API hooking tasks. This tool can be easily used on any Android device or emulator that allows USB debugging and application debugging.
This presentation will discuss the techniques we used to create those iOS and Android API hooking tools, common use case scenarios, and demonstrations of the tools in action.
Alban Diquet is a Senior Security Consultant at iSEC Partners, a strategic digital security organization, performing application and system penetration testing and analysis for multiple platforms and environments. While at iSEC, Alban has led or contributed to numerous security assessments on a variety of client/server applications, including large scale web applications, iOS/Android applications, thick clients, and server applications. Alban's research interests include web security, SSL, and PKI. He recently released an open source SSL scanner written in Python, called SSLyze. Prior to working at iSEC, Alban was a Software Engineer at Sigma Designs Inc, where he was implementing Digital Right Management solutions for video content. Alban received a M.S. in Computer and Electrical Engineering from the "Institut Superieur d'Electronique de Paris" in Paris, France, and a M.S in "Secure and Dependable Computer Systems" from Chalmers University, in Gothenburg, Sweden.
Justine Osborne is a Principal Security Consultant for iSEC Partners, an information security organization. At iSEC, Justine specializes in application security, focusing on web and mobile application penetration testing, code review, and secure coding guidelines. She also performs independent security research, and has presented at security conferences such as Blackhat, Defcon, DeepSec, IT-Defense and SysScan. Her research interests include emerging web application technologies, dynamic vulnerability assessment tools, Rich Internet Applications (RIA), and mobile device security.