Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Certificate pinning 101
Search
Xavier Rubio Jansana
January 30, 2018
Programming
1
110
Certificate pinning 101
Slides for the lighthning talk "Certificate pinning 101" given at Barcelona ADG.
Xavier Rubio Jansana
January 30, 2018
Tweet
Share
More Decks by Xavier Rubio Jansana
See All by Xavier Rubio Jansana
Android Custom Controls and Canvas
xrubioj
0
95
Swifty Framework Development for pragmatic developers
xrubioj
0
160
Android Data Binding: from (null) to (data)
xrubioj
1
160
Other Decks in Programming
See All in Programming
Hypervel - A Coroutine Framework for Laravel Artisans
albertcht
1
110
都市をデータで見るってこういうこと PLATEAU属性情報入門
nokonoko1203
1
610
Is Xcode slowly dying out in 2025?
uetyo
1
270
システム成長を止めない!本番無停止テーブル移行の全貌
sakawe_ee
1
200
プロダクト志向なエンジニアがもう一歩先の価値を目指すために意識したこと
nealle
0
130
すべてのコンテキストを、 ユーザー価値に変える
applism118
3
1.2k
PipeCDのプラグイン化で目指すところ
warashi
1
270
Team operations that are not burdened by SRE
kazatohiei
1
310
Rubyでやりたい駆動開発 / Ruby driven development
chobishiba
1
690
コードの90%をAIが書く世界で何が待っているのか / What awaits us in a world where 90% of the code is written by AI
rkaga
52
33k
iOS 26にアップデートすると実機でのHot Reloadができない?
umigishiaoi
0
130
AIともっと楽するE2Eテスト
myohei
6
2.5k
Featured
See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.4k
Side Projects
sachag
455
42k
GraphQLとの向き合い方2022年版
quramy
49
14k
How to train your dragon (web standard)
notwaldorf
95
6.1k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Facilitating Awesome Meetings
lara
54
6.4k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Optimizing for Happiness
mojombo
379
70k
Automating Front-end Workflow
addyosmani
1370
200k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Transcript
C C L L Xavier Rubio Jansana @teknik_tdr
https://xrubio.com https://github.com/xrubioj/
S S What? Why? How SSL/TLS works MiTM Attacks Certificate
pinning 101 Security considerations
W ? W ? Network security technique
W ? W ? Avoid MiTM attacks
I I Stealing app secrets Stealing user secrets Subverting communication
(e.g. change delivery address)
H SSL/TLS H SSL/TLS
HTTPS C HTTPS C
C C
C C
C S C S Subject Public Key Info
C C
C C
Settings → Security → Trusted certificates System vs User R
CA R CA
M TM A M TM A Root CA injection CA
insuficient validation → rogue certificate Self-signed certificates → validation disabled
C C
O H O H Exception: val hostname = "*.google.com" val
certificatePinner = CertificatePinner.Builder() .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .build() val client = OkHttpClient.Builder() .certificatePinner(certificatePinner) .build() AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure! Peer certificate chain: sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com, OU=PositiveSSL sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root Pinned certificates for publicobject.com: sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= at okhttp3.CertificatePinner.check(CertificatePinner.java) at okhttp3.Connection.upgradeToTls(Connection.java) at okhttp3.Connection.connect(Connection.java) at okhttp3.Connection.connectAndSetOwner(Connection.java) afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=
A N A N AndroidManifest.xml: <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config>
<domain includeSubdomains="true">appmattus.com</domain> <pin-set> <pin digest="SHA-256">4hw5tz+scE+TW+mlai5YipDfFWn1dqvfLG+nU7tq1V8=</pin> <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin> </pin-set> </domain-config> </network-security-config> <?xml version="1.0" encoding="utf-8"?> <manifest> <application android:networkSecurityConfig="@xml/network_security_config"> <!-- ... --> </application> </manifest> android:networkSecurityConfig="@xml/network_security_config"
B B CWAC-NetSecurity With some manual work... https://github.com/commonsguy/cwac-netsecurity "Allows the
same XML configuration to be used, going back to API Level 17 (Android 4.2)"
H H Hard failure So failure
S S Hardcoded pins Accept on first access Get pins
from server → inception!
S S ⚠ Hide your secrets! See "Android security basics"
talk by Krzysztof Kocel https://www.meetup.com/Barcelona-Android- Developer-Group/events/244107028/
R R "Android Security: SSL Pinning" by Matthew Dolan Network
Security Configuration "CWAC-NetSecurity: Simplifying Secure Internet Access" by CommonsWare CertificatePinner class OkHttp documentation https://medium.com/@appmattus/android-security-ssl-pinning- 1db8acb6621e https://developer.android.com/training/articles/security-config.htm https://github.com/commonsguy/cwac-netsecurity https://square.github.io/okhttp/3.x/okhttp/okhttp3/CertificatePinne
Q ? Q ?
T ! T ! Xavier Rubio Jansana This talk is
available at: @teknik_tdr https://xrubio.com https://github.com/xrubioj/ https://xrubio.com/talks/talk-lightning-certificate-pinning/