Stick a Pin in Certificate Pinning: How to Inspect Mobile Traffic and Stop Data Exfiltration

Presented at BSidesSF 2015, April 19, 2015, 10 a.m. (60 minutes)

With the rise of encrypted traffic, more and more companies are deploying SSL inspection platforms to decrypt SSL. Unfortunately, these companies quickly discover that they cannot decrypt all traffic, particularly communications to mobile apps that use certificate pinning. What is certificate pinning? It's a method of preventing Man in the Middle (MitM) attacks by validating server certificates against known, approved certificates or hashes that are bundled with the application. Many mobile applications today, including Twitter, Facebook, and Square, use certificate pinning to detect forged SSL certificates and prevent unauthorized snooping. While this improves user privacy, it also exposes a gaping hole in corporate defenses. Why? Because malicious insiders can use mobile apps like Facebook to share confidential data. Malware can communicate and distribute stolen data and credentials through mobile applications. Researchers have even discovered bots that receive command and control center directives from illicit Twitter accounts. As a result, organizations should inspect traffic from mobile applications. During this presentation, we will propose a way to allow employees to access their favorite mobile applications, while still ensuring that all traffic is inspected for data loss and attacks. With mobile app virtualization, organizations can host mobile apps on centralized servers and monitor file uploads and user activity. The end user experience is nearly identical to native application access. Attend this session to learn how attackers and insiders can use certificate pinning to bypass security controls. Understand trends in cryptography and the implications for IT security.

Presenters:

• Gopal Jayaraman
  Gopal Jayaraman is the CEO and co-founder of Sierraware. He established Sierraware with the goal to supply rock-solid and full-featured virtualization and security software to equipment manufacturers all over the world. Prior to Sierraware, Gopal was a Senior Software Architect at Cavium Networks. Gopal previously served as the CTO of Menlo Logic, an SSL VPN company that was acquired by Cavium in 2005. He has held leading engineering roles at communications software and system vendors including Metera Networks and Wind River. A veteran of IP routing and networking, he began his career at FutureSoft specializing in UNIX kernel development and traffic engineering. Gopal is also an active participant in the IETF community. Gopal received an MSEE degree from Madras Institute of Technology in Madras, India.

Links:

• https://bsidessf2015.sched.com/event/2th1/stick-a-pin-in-certificate-pinning-how-to-inspect-mobile-traffic-and-stop-data-exfiltration

Similar Presentations:

• Black Hat Europe 2014 / SSL Validation Checking vs. Go(ing) to Fail
• AppSec USA 2013 / 2 Day Pre-Conference Training: Securing Mobile Devices & Applications Training
• Black Hat USA 2012 / When security gets in the way: PenTesting mobile apps that use certificate pinning