Two weeks ago I published details of an attack method that can be used to bypass various implementations of certificate pinning in Android or generally Java applications. Several applications and frameworks are still vulnerable to the attack, among them every Java or Android application using a version of the popular OkHttp networking library before versions 3.1.2 and 2.7.4. [The OkHttp issue is tracked as CVE-2016-2402] Brief overview Certificate pinning is a control used to mitigate Man-In-...| Yiannis Kozyrakis ~ blog
This post is part of a series: Inside SafetyNet part 1 (Oct 2015) Inside SafetyNet part 2 (Feb 2016) Inside SafetyNet part 3 (Nov 2016) How to implement Attestation securely using server-side checks (my blog, Cigital blog) SafetyNet Playground (POC server-side implementation) Play Store - Android source - PHP source It’s been six months since my last blog post on Android’s SafetyNet. I was then examining a mid-July 2015 version of the system.| Yiannis Kozyrakis ~ blog
In a previous blogpost, I described how Google Play’s SafetyNet service is structured, from a technical perspective, diving deep into details and the checks it perfoms on the device. Recap: Google Play’s SafetyNet service allows your application to gain information about the ‘CTS compatibility’ status of the device you are running on. You can think of CTS compatibility as a mix of rooting detection, device tampering detection and active MitM detection.| Yiannis Kozyrakis ~ blog
This post is part of a series: Inside SafetyNet part 1 (Oct 2015) Inside SafetyNet part 2 (Feb 2016) Inside SafetyNet part 3 (Nov 2016) How to implement Attestation securely using server-side checks (my blog, Cigital blog) SafetyNet Playground (POC server-side implementation) Play Store - Android source - PHP source What is SafetyNet The Android Pay application got released a few days ago. Some people using rooted devices discovered that it refused to work.| Yiannis Kozyrakis ~ blog