As you might have guessed from previous posts on the topic, I’ve been researching certificate pinning implementations in mobile apps for the last couple of years. Two months ago I presented a talk on certificate pinning at OWASP AppSecEU16 conference in Rome, Italy. The conference was pretty fun, met so many interesting people. So, here are the slides and the video. The official abstract: Pinning Certificates (“Cert Pinning”) trends perennially, coming to the fore with each new SSL hack.| Yiannis Kozyrakis ~ blog
Two weeks ago I published details of an attack method that can be used to bypass various implementations of certificate pinning in Android or generally Java applications. Several applications and frameworks are still vulnerable to the attack, among them every Java or Android application using a version of the popular OkHttp networking library before versions 3.1.2 and 2.7.4. [The OkHttp issue is tracked as CVE-2016-2402] Brief overview Certificate pinning is a control used to mitigate Man-In-...| Yiannis Kozyrakis ~ blog