Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
6. TrustKit
ā¢ Open-source library for SSL reporting and pinning
ā¢ Released for iOS in 2015 and for Android earlier this
year
ā¢ https://github.com/datatheorem/TrustKit
ā¢ Makes it easy to monitor and improve the security of the
appās network connections
7. SSL Pinning
ā¢ Hardcode in the app the SSL public key(s) to be expected
to be used by the appās server(s)
11. SSL Pinning
ā¢ Hardcode in the app the SSL public key(s) to be expected
to be used by the appās server(s)
12. SSL Pinning
ā¢ Hardcode in the app the SSL public key(s) to be expected
to be used by the appās server(s)
// Initialize TrustKit
NSDictionary *trustKitConfig =
@{
kTSKPinnedDomains: @{
@"www.datatheorem.com" : @{
kTSKPublicKeyHashes : @[
@"lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=",
@"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
]
}}};
[TrustKit initializeWithConfiguration:trustKitConfig];
13. SSL Pinning
ā¢ Hardcode in the app the SSL public key(s) to be expected
to be used by the appās server(s)
// Initialize TrustKit
NSDictionary *trustKitConfig =
@{
kTSKPinnedDomains: @{
@"www.datatheorem.com" : @{
kTSKPublicKeyHashes : @[
@"lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=",
@"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
]
}}};
[TrustKit initializeWithConfiguration:trustKitConfig];
14. SSL Reporting
ā¢ Send a report whenever an SSL error occurred
ā¢ Gives an overview of "SSL incidents" around the world
ā¢ Helps understanding connection errors across the user
base
ā¢ Helps making a decision on whether to deploy SSL
pinning
ā¢ Useful to all apps
15. SSL Incident
ā¢ Default SSL validation error
ā¢ Name mismatch, expired certiļ¬cate,
untrusted CA, etc.
ā¢ Pinning validation error
App Server
17. SSL Reporting
ā¢ Any domain can be conļ¬gured in TrustKit for where the
reports should be sent
ā¢ Data Theorem hosts one for free that developers can leverage
ā¢ Reporting dashboard to see trends and inspect individual
reports
ā¢ Notiļ¬cations for when something unexpected happens
ā¢ Suspicious actor
ā¢ Spike in reports
20. The Data Set
ā¢ 10 million reports from 2 million devices in 2 years
ā¢ From apps conļ¬gured to use Data Theoremās reporting
server
ā¢ Mostly from iOS devices
ā¢ 70% of the reports came from the USāØ
21. The Data Set
ā¢ From nearly 2 000 diļ¬erent apps
ā¢ Banking
ā¢ Shopping
ā¢ Music/streaming
ā¢ News
Top Platform
iOS 93.3%
Android 5.3%
macOS 1%
tvOS 0.4%
22. The Data Set
Top Countries
US 71%
GB 9.5%
TW 7.3%
CA 1.8%
HK 1.3%
23. The Data Set
ā¢ 3.3 million unique
certiļ¬cate chains
ā¢ 38% of the certiļ¬cate are
self-signed
ā¢ 78% of the certiļ¬cate
matched the hostname
Certiļ¬cate chain depth
2 62.2%
3 24%
1 11.4%
4 1.8%
5 0.5%
6 0.001%
24. Report Classiļ¬cation
ā¢ Use diļ¬erent heuristics to ļ¬nd the root cause
ā¢ By looking at the content of the report, mainly the
certiļ¬cate chain
ā¢ Save some metadata along with the server date
ā¢ Contact the server for the hostname that was in the
report, to fetch its certiļ¬cate chain
25. Report Classiļ¬cation
ā¢ Re-verify the certiļ¬cate chain
ā¢ Set of rules that can target:
ā¢ A speciļ¬c certiļ¬cate or a speciļ¬c public key
ā¢ Any certiļ¬cate ļ¬elds (Common Name, etc.)
47. Server Misconļ¬guration
ā¢ Category for servers with misconļ¬gured SSL certiļ¬cates
ā¢ Right now only one subcategory: expired certiļ¬cates
ā¢ For example, huge spike of report when a certiļ¬cate
deployed in production expired:
58. Pins Misconļ¬guration
ā¢ The SSL pins hardcoded in the app do not match the
serverās certiļ¬cate chain
ā¢ With enforcement disabled:
ā¢ The app still works but is constantly sending reports
ā¢ With enforcement enabled:
ā¢ The appās connections will fail
60. āOn a Thanksgiving Day, November 24, 2016 an
emergency has occurred.
Customers of Barclays Bank, which were users of
mobile banking application, were unable to perform
any transactions due to pinning the outdated
intermediate certiļ¬cate in the application.ā
62. āSeveral thousands of customers of small and
medium-sized businesses, operating mostly in the
UK market, will not be able to perform any
transactions from 8.30 a.m. 25/11/16 on a "Black
Friday" and during the holiday shopping period.
This will affect hundreds of thousands of
customer's transactions, until the application is
updated, and then released again.ā
63. Pins Misconļ¬guration
ā¢ 22% of apps with more than 30% of misconļ¬guration
issues
ā¢ Pressure on mobile developers to implement SSL pinning
in their apps
ā¢ From security teams, bug bounties, etc.
ā¢ But most apps do not need it
ā¢ Requires not just code changes but also very good
processes around server SSL keys
64. Global Categories
9 195 807 reports
Spyware 39%
Pins Misconļ¬g 34%
Server Misconļ¬g 4.3%
Dev Artifacts 0.5%
Corp Networks 2.2%
72. What Happened?
ā¢ A conļ¬guration proļ¬le was installed on the device
ā¢ With an always-on VPN conļ¬g
ā¢ To route all traļ¬c through the MobileXpression server
ā¢ With a custom root CA added to the deviceās trust store
ā¢ To allow traļ¬c decryption by the MobileXpression server
MobileXpression VPN App Server
73. MobileXpression?
āMobileXpression is a service of comScore, Inc., a
global leader in measuring the digital world,
providing insights into consumer behavior and
attitudes.ā
74. ComScore
āThis capability is based on a massive, global
cross-section of approximately 2 million
consumers, who have allowed comScore to collect
their online browsing, hardware and application
usage, and purchasing behavior.ā
75. ComScore
ā¢ Owner of several āmarket researchā apps
ā¢ MobileXpression, Digital Reļ¬ection
ā¢ Promise users rewards (gif cards, etc.) for installing the
app and conļ¬guration proļ¬le
76. ComScore
ā¢ Owner of several āmarket researchā apps
ā¢ MobileXpression, Digital Reļ¬ection
ā¢ Promise users rewards (gif cards, etc.) for installing the
app and conļ¬guration proļ¬le
77. ComScore
ā¢ Inspect/decrypt all the usersā traļ¬c to measure app
usage
ā¢ ComScoreās business model as a "measurement
companyā
78. Spyware - Market Intel
ā¢ Conļ¬guration proļ¬les are problematic
ā¢ Highly technical security warnings when installing the proļ¬le
ā¢ The proļ¬le/VPN does not get uninstalled when removing the app
ā¢ Makes sense from a technical perspective but will confuse users
ā¢ But not an easy issue to ļ¬x
ā¢ Corporate enrollment / MDM use case
ā¢ A proļ¬le can be installed directly via Safari
ā¢ Banning the spyware app from the store does not prevent it
81. Spyware - Ad Blocker
ā¢ Similar technical implementation with a VPN and custom CA
ā¢ Defend My WiFi
ā¢ "Automatically turns public Wi-Fi into safe and secure private
WiFiā
ā¢ Company does not exist anymore?
ā¢ Adblock Mobile
ā¢ iOS 8: SSL mitm on ad domains only
ā¢ iOS 9+: No more custom CA installed
86. What did we see?
ā¢ Traļ¬c interception does happen, and for many reasons
ā¢ Usually not malicious
ā¢ Employers
ā¢ Users āwillinglyā sharing their data for a reward
ā¢ No visible move from Apple and Google on this
ā¢ Similarities and diļ¬erences compared to previous work
on the web/desktop (Google, Facebook, Cloudļ¬are)
87. What do we do?
ā¢ Which group does your app belong to?
ā¢ It is acceptable to expose the userās data to ālawful
interceptionā (such as the userās employer)
ā¢ Games, Business apps
ā¢ The userās data is private and can never be exposed
ā¢ Mobile banking
ā¢ Can be technically enforced via SSL pinning
88. What do we do?
ā¢ More options on mobile compared to the web
ā¢ SSL reporting helps you understand what is happening
across your user base
ā¢ SSL pinning can be used for sensitive apps
ā¢ Signiļ¬cant burden and risk of catastrophic failure
ā¢ Must be decided and planned carefully
ā¢ Does not prevent reverse-engineering of your app