Mobile SSL Failures

Presented at DeepSec 2014 „Do you want to know more?“, Unknown date/time (Unknown duration)

Mobile SSL Failures Failure to validate Certificate Authorities - Approximately 40 well-known apps Failure to validate Certificate Hostnames - Approximately 40 well-known apps Failure to encrypt at all - Tens of millions passwords and credit cards Recent FTC settlement related to this topic Review of why physical security isn't assured with mobile - Smudge attacks - No screen lock - Screen lock bypass - Creating invisible MitM attacks - Creating persistent MitM attacks SSL Session caching exploit A fool-proof defensive coding approach We will discuss how prevalent SSL certificate validation failures are in very popular applications. We will show how some popular applications failed to encrypt traffic at all resulting in the leakage of tens of millions of users' data. We will cover recent U.S. Government penalties that companies who fail to protect data may be subject to. We will discuss a new attack, that is particular applicable to mobile and especially on the Android platform, which potentially allows for a persistent MitM attack that is undetectable on the device itself. Lastly, we will cover how organizations can implement a fool-proof method to protect themselves against this mistake.

Presenters:

• Tony Trummer - Linkedin
  Tony has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently an in-house penetration tester for LinkedIn, running point on their mobile security initiatives. When he's not hacking, he enjoys thinking about astrophysics, playing devil's advocate and has been known to dust his skateboard off from time-to-time
• Tushar Dalvi - Linkedin
  Tushar Dalvi is a security enthusiast, and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research and assessment of mobile applications. Previously, Tushar has worked as a security consultant at Foundstone Professional Services (McAfee) and as a Senior developer at ACI Worldwide. 

Links:

• https://deepsec.net/archive/2014.deepsec.net/speaker.html#PSLOT160
• https://infocon.org/cons/DeepSec/DeepSec 2014/Mobile SSL Failures.mp4

Similar Presentations:

• Black Hat Europe 2014 / SSL Validation Checking vs. Go(ing) to Fail
• THOTCON 0x1 (2010) / How Everyone Screws Up SSL
• BSidesSF 2015 / Stick a Pin in Certificate Pinning: How to Inspect Mobile Traffic and Stop Data Exfiltration