Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Certificate pinning 101
Search
Xavier Rubio Jansana
January 30, 2018
Programming
1
63
Certificate pinning 101
Slides for the lighthning talk "Certificate pinning 101" given at Barcelona ADG.
Xavier Rubio Jansana
January 30, 2018
Tweet
Share
More Decks by Xavier Rubio Jansana
See All by Xavier Rubio Jansana
Android Custom Controls and Canvas
xrubioj
0
44
Swifty Framework Development for pragmatic developers
xrubioj
0
68
Android Data Binding: from (null) to (data)
xrubioj
1
110
Other Decks in Programming
See All in Programming
Ruby製社内ツールのGo移行
bgpat
2
330
ログラスを支える設計標準について / loglass-design-standards
urmot
10
2.1k
Folding Cheat Sheet #3
philipschwarz
PRO
0
110
スクラムガイドのスプリントレトロスペクティブを改めて読みかえしてみた / Re-reading the Sprint Retrospective Section in the Scrum Guide
mackey0225
3
330
pixivアプリでマルチモジュールを実現するまで
gatosyocora
1
130
1인 개발자로 행복하게 살기 - GDG 송도 헬로월드 2024
benjaminkim
1
5.6k
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110
HUIT新歓2024「競技プログラミング、やってみませんか?」
slephy2784
1
250
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
22
15k
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
210
Elm Form Validation
bkuhlmann
0
500
雑に思考を整理する技術と効能
konifar
55
25k
Featured
See All Featured
Building a Modern Day E-commerce SEO Strategy
aleyda
16
6.3k
Faster Mobile Websites
deanohume
297
30k
BBQ
matthewcrist
80
8.7k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Bash Introduction
62gerente
604
210k
Building Applications with DynamoDB
mza
88
5.6k
Scaling GitHub
holman
457
140k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4.4k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
990
Transcript
C C L L Xavier Rubio Jansana @teknik_tdr
https://xrubio.com https://github.com/xrubioj/
S S What? Why? How SSL/TLS works MiTM Attacks Certificate
pinning 101 Security considerations
W ? W ? Network security technique
W ? W ? Avoid MiTM attacks
I I Stealing app secrets Stealing user secrets Subverting communication
(e.g. change delivery address)
H SSL/TLS H SSL/TLS
HTTPS C HTTPS C
C C
C C
C S C S Subject Public Key Info
C C
C C
Settings → Security → Trusted certificates System vs User R
CA R CA
M TM A M TM A Root CA injection CA
insuficient validation → rogue certificate Self-signed certificates → validation disabled
C C
O H O H Exception: val hostname = "*.google.com" val
certificatePinner = CertificatePinner.Builder() .add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=") .build() val client = OkHttpClient.Builder() .certificatePinner(certificatePinner) .build() AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure! Peer certificate chain: sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com, OU=PositiveSSL sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root Pinned certificates for publicobject.com: sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= at okhttp3.CertificatePinner.check(CertificatePinner.java) at okhttp3.Connection.upgradeToTls(Connection.java) at okhttp3.Connection.connect(Connection.java) at okhttp3.Connection.connectAndSetOwner(Connection.java) afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=
A N A N AndroidManifest.xml: <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config>
<domain includeSubdomains="true">appmattus.com</domain> <pin-set> <pin digest="SHA-256">4hw5tz+scE+TW+mlai5YipDfFWn1dqvfLG+nU7tq1V8=</pin> <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin> </pin-set> </domain-config> </network-security-config> <?xml version="1.0" encoding="utf-8"?> <manifest> <application android:networkSecurityConfig="@xml/network_security_config"> <!-- ... --> </application> </manifest> android:networkSecurityConfig="@xml/network_security_config"
B B CWAC-NetSecurity With some manual work... https://github.com/commonsguy/cwac-netsecurity "Allows the
same XML configuration to be used, going back to API Level 17 (Android 4.2)"
H H Hard failure So failure
S S Hardcoded pins Accept on first access Get pins
from server → inception!
S S ⚠ Hide your secrets! See "Android security basics"
talk by Krzysztof Kocel https://www.meetup.com/Barcelona-Android- Developer-Group/events/244107028/
R R "Android Security: SSL Pinning" by Matthew Dolan Network
Security Configuration "CWAC-NetSecurity: Simplifying Secure Internet Access" by CommonsWare CertificatePinner class OkHttp documentation https://medium.com/@appmattus/android-security-ssl-pinning- 1db8acb6621e https://developer.android.com/training/articles/security-config.htm https://github.com/commonsguy/cwac-netsecurity https://square.github.io/okhttp/3.x/okhttp/okhttp3/CertificatePinne
Q ? Q ?
T ! T ! Xavier Rubio Jansana This talk is
available at: @teknik_tdr https://xrubio.com https://github.com/xrubioj/ https://xrubio.com/talks/talk-lightning-certificate-pinning/