SlideShare uma empresa Scribd logo

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercepted? A look at three million real-world SSL incidents

ā€¢
ā€¢
BlueHat Security Conference
BlueHat Security Conference

Alban Diquet, Data Theorem Thomas Sileo, Data Theorem Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS. We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings. First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are. Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found. Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.

Tecnologia
1 de 89
Baixar para ler offline
Mobile SSL Interception in the Wild Where, how, and why? Alban Diquet Thomas Sileo Data Theorem BlueHat 2017
Mobile SSL Interception ā€¢ Analyzed 10 million ā€œSSL incident" reports ā€¢ Sent by mobile devices all around the world ā€¢ What did we ļ¬nd?
DEMO
Agenda ā€¢ Data collection methodology ā€¢ Data set and analysis of forged SSL certiļ¬cates ā€¢ Results of the analysis ā€¢ Conclusion
Data Collection Methodology
TrustKit ā€¢ Open-source library for SSL reporting and pinning ā€¢ Released for iOS in 2015 and for Android earlier this year ā€¢ https://github.com/datatheorem/TrustKit ā€¢ Makes it easy to monitor and improve the security of the appā€™s network connections
SSL Pinning ā€¢ Hardcode in the app the SSL public key(s) to be expected to be used by the appā€™s server(s)
SSL Pinning
SSL Pinning
SSL Pinning lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=
SSL Pinning ā€¢ Hardcode in the app the SSL public key(s) to be expected to be used by the appā€™s server(s)
SSL Pinning ā€¢ Hardcode in the app the SSL public key(s) to be expected to be used by the appā€™s server(s) // Initialize TrustKit NSDictionary *trustKitConfig = @{ kTSKPinnedDomains: @{ @"www.datatheorem.com" : @{ kTSKPublicKeyHashes : @[ @"lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=", @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=", ] }}}; [TrustKit initializeWithConfiguration:trustKitConfig];
SSL Pinning ā€¢ Hardcode in the app the SSL public key(s) to be expected to be used by the appā€™s server(s) // Initialize TrustKit NSDictionary *trustKitConfig = @{ kTSKPinnedDomains: @{ @"www.datatheorem.com" : @{ kTSKPublicKeyHashes : @[ @"lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=", @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=", ] }}}; [TrustKit initializeWithConfiguration:trustKitConfig];
SSL Reporting ā€¢ Send a report whenever an SSL error occurred ā€¢ Gives an overview of "SSL incidents" around the world ā€¢ Helps understanding connection errors across the user base ā€¢ Helps making a decision on whether to deploy SSL pinning ā€¢ Useful to all apps
SSL Incident ā€¢ Default SSL validation error ā€¢ Name mismatch, expired certiļ¬cate, untrusted CA, etc. ā€¢ Pinning validation error App Server
SSL Reporting { "app-bundle-id": "com.datatheorem.testtrustkit", "app-version": ā€œ1.2", "app-vendor-id": "599F9C00-92DC-4B5C-9464-7971F01F8370", "app-platform": "IOS", "trustkit-version": ā€œ1.5.3", "hostname": "www.datatheorem.com", "port": 443, "noted-hostname": "datatheorem.com", "include-subdomains": true, "enforce-pinning": true, "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "date-time": "2015-06-08T01:58:05Z", "known-pins": [ "pin-sha256="rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="", "pin-sha256="TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY="" ], "validation-result": 1 }
SSL Reporting ā€¢ Any domain can be conļ¬gured in TrustKit for where the reports should be sent ā€¢ Data Theorem hosts one for free that developers can leverage ā€¢ Reporting dashboard to see trends and inspect individual reports ā€¢ Notiļ¬cations for when something unexpected happens ā€¢ Suspicious actor ā€¢ Spike in reports
Demo
Data Set and Report Classiļ¬cation
The Data Set ā€¢ 10 million reports from 2 million devices in 2 years ā€¢ From apps conļ¬gured to use Data Theoremā€™s reporting server ā€¢ Mostly from iOS devices ā€¢ 70% of the reports came from the USā€Ø
The Data Set ā€¢ From nearly 2 000 diļ¬€erent apps ā€¢ Banking ā€¢ Shopping ā€¢ Music/streaming ā€¢ News Top Platform iOS 93.3% Android 5.3% macOS 1% tvOS 0.4%
The Data Set Top Countries US 71% GB 9.5% TW 7.3% CA 1.8% HK 1.3%
The Data Set ā€¢ 3.3 million unique certiļ¬cate chains ā€¢ 38% of the certiļ¬cate are self-signed ā€¢ 78% of the certiļ¬cate matched the hostname Certiļ¬cate chain depth 2 62.2% 3 24% 1 11.4% 4 1.8% 5 0.5% 6 0.001%
Report Classiļ¬cation ā€¢ Use diļ¬€erent heuristics to ļ¬nd the root cause ā€¢ By looking at the content of the report, mainly the certiļ¬cate chain ā€¢ Save some metadata along with the server date ā€¢ Contact the server for the hostname that was in the report, to fetch its certiļ¬cate chain
Report Classiļ¬cation ā€¢ Re-verify the certiļ¬cate chain ā€¢ Set of rules that can target: ā€¢ A speciļ¬c certiļ¬cate or a speciļ¬c public key ā€¢ Any certiļ¬cate ļ¬elds (Common Name, etc.)
Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata
Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata
Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata
Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata
Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata == misconļ¬guration / certiļ¬cate_chain_valid
Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata unknown / to_review !=
Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.coporate_proxy", "hostname": "www.datatheorem.com", ā€œvalidated-certificate-chainā€: [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": ā€œā€¦", raw report
{ "app-bundle-id": ā€œcom.datatheorem.coporate_proxy", "hostname": "www.datatheorem.com", ā€œvalidated-certificate-chainā€: [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": ā€œā€¦", Report Classiļ¬cation raw report
{ "app-bundle-id": ā€œcom.datatheorem.coporate_proxy", "hostname": "www.datatheorem.com", ā€œvalidated-certificate-chainā€: [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": ā€œā€¦", Report Classiļ¬cation raw report
Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.coporate_proxy", "hostname": "www.datatheorem.com", ā€œvalidated-certificate-chainā€: [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": ā€œā€¦", { "certificate_chain_infos": [ {"issuer": {"common_name":"Fortigate CA", ā€œā€¦": [ā€¦], raw report certiļ¬cate chain info
Report Classiļ¬cation corporate_appliance / Fortinet corporate_appliance: Fortinet: leaf: - !IssuerCommonName 'FortiGate CA' { "certificate_chain_infos": [ {"issuer": {"common_name":"Fortigate CA", ā€œā€¦": [ā€¦], certiļ¬cate chain info classiļ¬er ruleset
Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.bad_device_clockā€, "hostname": "www.datatheorem.com", "date-time": "2017-03-14T04:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 2, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-22T04:00:54Z", } raw report report metadata
Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.bad_device_clockā€, "hostname": "www.datatheorem.com", "date-time": "2017-03-14T04:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 2, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-22T04:00:54Z", } raw report report metadata
Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.bad_device_clockā€, "hostname": "www.datatheorem.com", "date-time": "2017-03-14T04:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 2, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-22T04:00:54Z", } raw report report metadata
Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.bad_device_clockā€, "hostname": "www.datatheorem.com", "date-time": "2017-03-14T04:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 2, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-22T04:00:54Z", } raw report report metadata misconļ¬gured_device / bad_clock
Results of the Analysis
Classiļ¬cation Categories 9 195 807 reports
Classiļ¬cation Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconļ¬g 0.5% Server Misconļ¬g 4.3%
Previous Work ā€¢ Data from Chrome desktop for google.com:
Classiļ¬cation Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconļ¬g 0.5% Server Misconļ¬g 4.3%
Classiļ¬cation Categories 9 195 807 reports Server Misconļ¬g 4.3%
Server Misconļ¬guration ā€¢ Category for servers with misconļ¬gured SSL certiļ¬cates ā€¢ Right now only one subcategory: expired certiļ¬cates ā€¢ For example, huge spike of report when a certiļ¬cate deployed in production expired:
Classiļ¬cation Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconļ¬g 0.5% Server Misconļ¬g 4.3%
Classiļ¬cation Categories 9 195 807 reports Spyware 39% Pins Misconļ¬g 34% Captive Portals 11% Not Reviewed Yet 6% Server Misconļ¬g 4.3% Corp Networks 2.2% Unknown 2.5% Client Clock Misconļ¬g 0.5% Dev Artifacts 0.5%
Classiļ¬cation Categories 9 195 807 reports Spyware 39% Pins Misconļ¬g 34% Dev Artifacts 0.5% Corp Networks 2.2%
Classiļ¬cation Categories 9 195 807 reports Corp Networks 2.2%
Corporate Networks
Classiļ¬cation Categories 9 195 807 reports Spyware 39% Pins Misconļ¬g 34% Dev Artifacts 0.5% Corp Networks 2.2%
Classiļ¬cation Categories 9 195 807 reports Dev Artifacts 0.5%
Dev Proxies
Classiļ¬cation Categories 9 195 807 reports Spyware 39% Pins Misconļ¬g 34% Dev Artifacts 0.5% Corp Networks 2.2%
Classiļ¬cation Categories 9 195 807 reports Pins Misconļ¬g 34%
Pins Misconļ¬guration ā€¢ The SSL pins hardcoded in the app do not match the serverā€™s certiļ¬cate chain ā€¢ With enforcement disabled: ā€¢ The app still works but is constantly sending reports ā€¢ With enforcement enabled: ā€¢ The appā€™s connections will fail
Pins Misconļ¬guration
ā€œOn a Thanksgiving Day, November 24, 2016 an emergency has occurred. Customers of Barclays Bank, which were users of mobile banking application, were unable to perform any transactions due to pinning the outdated intermediate certiļ¬cate in the application.ā€
Pins Misconļ¬guration
ā€œSeveral thousands of customers of small and medium-sized businesses, operating mostly in the UK market, will not be able to perform any transactions from 8.30 a.m. 25/11/16 on a "Black Friday" and during the holiday shopping period. This will affect hundreds of thousands of customer's transactions, until the application is updated, and then released again.ā€
Pins Misconļ¬guration ā€¢ 22% of apps with more than 30% of misconļ¬guration issues ā€¢ Pressure on mobile developers to implement SSL pinning in their apps ā€¢ From security teams, bug bounties, etc. ā€¢ But most apps do not need it ā€¢ Requires not just code changes but also very good processes around server SSL keys
Global Categories 9 195 807 reports Spyware 39% Pins Misconļ¬g 34% Server Misconļ¬g 4.3% Dev Artifacts 0.5% Corp Networks 2.2%
Classiļ¬cation Categories 9 195 807 reports Spyware 39%
Spyware Categories Market Intelligenceā€Ø 3 580 078 reports Ad Blockerā€Ø 18 463 reports Parental Controlā€Ø 10 820 reports
Spyware Categories Market Intelligenceā€Ø 3 580 078 reports MobileXpression 91% Digital Reļ¬‚ection 4% Verto Analytics 3.3% Luth 1.4% AnalyzeMe 0.3% Ad Blockerā€Ø 18 463 reports Parental Controlā€Ø 10 820 reports
Spyware - Market Intel ā€¢ Mainly investigated MobileXpression and Digital Reļ¬‚ection ā€¢ Large number of reports across ~20 000 devices
MobileXpression
Demo
MobileXpression
What Happened? ā€¢ A conļ¬guration proļ¬le was installed on the device ā€¢ With an always-on VPN conļ¬g ā€¢ To route all traļ¬ƒc through the MobileXpression server ā€¢ With a custom root CA added to the deviceā€™s trust store ā€¢ To allow traļ¬ƒc decryption by the MobileXpression server MobileXpression VPN App Server
MobileXpression? ā€œMobileXpression is a service of comScore, Inc., a global leader in measuring the digital world, providing insights into consumer behavior and attitudes.ā€
ComScore ā€œThis capability is based on a massive, global cross-section of approximately 2 million consumers, who have allowed comScore to collect their online browsing, hardware and application usage, and purchasing behavior.ā€
ComScore ā€¢ Owner of several ā€œmarket researchā€ apps ā€¢ MobileXpression, Digital Reļ¬‚ection ā€¢ Promise users rewards (gif cards, etc.) for installing the app and conļ¬guration proļ¬le
ComScore ā€¢ Owner of several ā€œmarket researchā€ apps ā€¢ MobileXpression, Digital Reļ¬‚ection ā€¢ Promise users rewards (gif cards, etc.) for installing the app and conļ¬guration proļ¬le
ComScore ā€¢ Inspect/decrypt all the usersā€™ traļ¬ƒc to measure app usage ā€¢ ComScoreā€™s business model as a "measurement companyā€
Spyware - Market Intel ā€¢ Conļ¬guration proļ¬les are problematic ā€¢ Highly technical security warnings when installing the proļ¬le ā€¢ The proļ¬le/VPN does not get uninstalled when removing the app ā€¢ Makes sense from a technical perspective but will confuse users ā€¢ But not an easy issue to ļ¬x ā€¢ Corporate enrollment / MDM use case ā€¢ A proļ¬le can be installed directly via Safari ā€¢ Banning the spyware app from the store does not prevent it
Spyware Categories Market Intelligenceā€Ø 3 580 078 reports Ad Blockerā€Ø 18 463 reports Parental Controlā€Ø 10 820 reports
Spyware Categories Market Intelligenceā€Ø 3 580 078 reports Parental Controlā€Ø 10 820 reports Ad Blockerā€Ø 18 463 reports Defend My WiFi 59% AdBl0ck 34% AdGuard 7%
Spyware - Ad Blocker ā€¢ Similar technical implementation with a VPN and custom CA ā€¢ Defend My WiFi ā€¢ "Automatically turns public Wi-Fi into safe and secure private WiFiā€ ā€¢ Company does not exist anymore? ā€¢ Adblock Mobile ā€¢ iOS 8: SSL mitm on ad domains only ā€¢ iOS 9+: No more custom CA installed
Spyware Categories Market Intelligenceā€Ø 3 580 078 reports Ad Blockerā€Ø 18 463 reports Parental Controlā€Ø 10 820 reports
Spyware Categories Market Intelligenceā€Ø 3 580 078 reports Ad Blockerā€Ø 18 463 reports Parental Controlā€Ø 10 820 reports Qustodio 74% Accountable2You 24% Circle Go 2%
Spyware - Parental Control ā€¢ Qustodio, Accountable2You, Circle Go ā€¢ Parental control/monitoring tools
Conclusion
What did we see? ā€¢ Traļ¬ƒc interception does happen, and for many reasons ā€¢ Usually not malicious ā€¢ Employers ā€¢ Users ā€œwillinglyā€ sharing their data for a reward ā€¢ No visible move from Apple and Google on this ā€¢ Similarities and diļ¬€erences compared to previous work on the web/desktop (Google, Facebook, Cloudļ¬‚are)
What do we do? ā€¢ Which group does your app belong to? ā€¢ It is acceptable to expose the userā€™s data to ā€œlawful interceptionā€ (such as the userā€™s employer) ā€¢ Games, Business apps ā€¢ The userā€™s data is private and can never be exposed ā€¢ Mobile banking ā€¢ Can be technically enforced via SSL pinning
What do we do? ā€¢ More options on mobile compared to the web ā€¢ SSL reporting helps you understand what is happening across your user base ā€¢ SSL pinning can be used for sensitive apps ā€¢ Signiļ¬cant burden and risk of catastrophic failure ā€¢ Must be decided and planned carefully ā€¢ Does not prevent reverse-engineering of your app
Thanks! @nabla_c0d3 @trucsdedev

Recomendados

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
Ā 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
Ā 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
Ā 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
Ā 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat Security Conference
Ā 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
Ā 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
Ā 
BlueHat v17 || ā€œ_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || ā€œ_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || ā€œ_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || ā€œ_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
Ā 

Recomendados

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
Ā 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
Ā 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
Ā 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
Ā 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...BlueHat Security Conference
Ā 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
Ā 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
Ā 
BlueHat v17 || ā€œ_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || ā€œ_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || ā€œ_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || ā€œ_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
Ā 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
Ā 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesGuglielmo Scaiola
Ā 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
Ā 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
Ā 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
Ā 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
Ā 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
Ā 
Š˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµ
Š˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµŠ˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµ
Š˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµPositive Hack Days
Ā 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
Ā 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
Ā 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
Ā 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
Ā 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
Ā 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
Ā 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossecJeronimo Zucco
Ā 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enoughSumedt Jitpukdebodin
Ā 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Softwaredefconmoscow
Ā 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
Ā 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest
Ā 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
Ā 
Microsoft Bluehat 2017: Mobile SSL Interception
Microsoft Bluehat 2017: Mobile SSL InterceptionMicrosoft Bluehat 2017: Mobile SSL Interception
Microsoft Bluehat 2017: Mobile SSL InterceptionHimanshu Dwivedi
Ā 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
Ā 

Mais conteĆŗdo relacionado

Mais procurados

BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
Ā 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesGuglielmo Scaiola
Ā 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
Ā 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
Ā 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
Ā 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
Ā 
Š˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµ
Š˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµŠ˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµ
Š˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµPositive Hack Days
Ā 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
Ā 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
Ā 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
Ā 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
Ā 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
Ā 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
Ā 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossecJeronimo Zucco
Ā 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Softwaredefconmoscow
Ā 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
Ā 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest
Ā 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
Ā 

Mais procurados (20)

BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
Ā 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
Ā 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
Ā 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
Ā 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
Ā 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
Ā 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
Ā 
Š˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµ
Š˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµŠ˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµ
Š˜Š½Ń†ŠøŠ“ŠµŠ½Ń‚Ń‹ с ŠøсŠæŠ¾Š»ŃŒŠ·Š¾Š²Š°Š½ŠøŠµŠ¼ ransomware. Š Š°ŃŃŠ»ŠµŠ“Š¾Š²Š°Š½ŠøŠµ
Ā 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Ā 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
Ā 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
Ā 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Ā 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
Ā 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
Ā 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Ā 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Ā 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
Ā 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
Ā 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
Ā 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Ā 

Semelhante a BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercepted? A look at three million real-world SSL incidents

Microsoft Bluehat 2017: Mobile SSL Interception
Microsoft Bluehat 2017: Mobile SSL InterceptionMicrosoft Bluehat 2017: Mobile SSL Interception
Microsoft Bluehat 2017: Mobile SSL InterceptionHimanshu Dwivedi
Ā 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
Ā 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
Ā 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)Priyanka Aash
Ā 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
Ā 
Securing the hybrid environment with Microsoft Cloud App Security
Securing the hybrid environment with Microsoft Cloud App SecuritySecuring the hybrid environment with Microsoft Cloud App Security
Securing the hybrid environment with Microsoft Cloud App SecurityMatt Fooks
Ā 
MongoDB.local Austin 2018: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Austin 2018: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Austin 2018: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Austin 2018: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB
Ā 
MongoDB World 2018: Pissing Off IT and Delivery: A Tale of 2 ODSā€™s
MongoDB World 2018: Pissing Off IT and Delivery: A Tale of 2 ODSā€™sMongoDB World 2018: Pissing Off IT and Delivery: A Tale of 2 ODSā€™s
MongoDB World 2018: Pissing Off IT and Delivery: A Tale of 2 ODSā€™sMongoDB
Ā 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
Ā 
how to use openstack api
how to use openstack apihow to use openstack api
how to use openstack apiLiang Bo
Ā 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxssuser865ecd
Ā 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
Ā 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailPuma Security, LLC
Ā 
Best Practices of IoT Security in the Cloud
Best Practices of IoT Security in the CloudBest Practices of IoT Security in the Cloud
Best Practices of IoT Security in the CloudAmazon Web Services
Ā 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)Maarten Mulders
Ā 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET CoreNETUserGroupBern
Ā 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingForgeRock
Ā 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the CloudAmazon Web Services
Ā 

Semelhante a BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercepted? A look at three million real-world SSL incidents (20)

Microsoft Bluehat 2017: Mobile SSL Interception
Microsoft Bluehat 2017: Mobile SSL InterceptionMicrosoft Bluehat 2017: Mobile SSL Interception
Microsoft Bluehat 2017: Mobile SSL Interception
Ā 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
Ā 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Ā 
SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)SACON - Mobile App Security (Srinath Venkataramani)
SACON - Mobile App Security (Srinath Venkataramani)
Ā 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
Ā 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
Ā 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
Ā 
Securing the hybrid environment with Microsoft Cloud App Security
Securing the hybrid environment with Microsoft Cloud App SecuritySecuring the hybrid environment with Microsoft Cloud App Security
Securing the hybrid environment with Microsoft Cloud App Security
Ā 
MongoDB.local Austin 2018: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Austin 2018: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB.local Austin 2018: Pissing Off IT and Delivery: A Tale of 2 ODS's
MongoDB.local Austin 2018: Pissing Off IT and Delivery: A Tale of 2 ODS's
Ā 
MongoDB World 2018: Pissing Off IT and Delivery: A Tale of 2 ODSā€™s
MongoDB World 2018: Pissing Off IT and Delivery: A Tale of 2 ODSā€™sMongoDB World 2018: Pissing Off IT and Delivery: A Tale of 2 ODSā€™s
MongoDB World 2018: Pissing Off IT and Delivery: A Tale of 2 ODSā€™s
Ā 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
Ā 
how to use openstack api
how to use openstack apihow to use openstack api
how to use openstack api
Ā 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Ā 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Ā 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Ā 
Best Practices of IoT Security in the Cloud
Best Practices of IoT Security in the CloudBest Practices of IoT Security in the Cloud
Best Practices of IoT Security in the Cloud
Ā 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)
Ā 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
Ā 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Ā 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the Cloud
Ā 

Mais de BlueHat Security Conference

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Security Conference
Ā 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Security Conference
Ā 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Security Conference
Ā 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Security Conference
Ā 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Security Conference
Ā 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Security Conference
Ā 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Security Conference
Ā 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Security Conference
Ā 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Security Conference
Ā 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Security Conference
Ā 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Security Conference
Ā 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat Security Conference
Ā 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat Security Conference
Ā 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat Security Conference
Ā 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat Security Conference
Ā 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
Ā 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
Ā 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
Ā 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
Ā 

Mais de BlueHat Security Conference (20)

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
Ā 
BlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || KeynoteBlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || Keynote
Ā 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
Ā 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
Ā 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
Ā 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
Ā 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
Ā 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
Ā 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
Ā 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
Ā 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
Ā 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
Ā 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
Ā 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
Ā 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
Ā 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
Ā 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
Ā 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
Ā 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
Ā 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
Ā 

ƚltimo

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
Ā 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
Ā 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
Ā 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
Ā 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
Ā 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
Ā 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
Ā 
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | DelhiFULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhisoniya singh
Ā 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
Ā 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
Ā 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
Ā 
Transcript: #StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024BookNet Canada
Ā 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
Ā 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
Ā 
Scaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationScaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationRadu Cotescu
Ā 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
Ā 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
Ā 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
Ā 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
Ā 
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024BookNet Canada
Ā 

ƚltimo (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Ā 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Ā 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Ā 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Ā 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Ā 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Ā 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Ā 
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | DelhiFULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY šŸ” 8264348440 šŸ” Call Girls in Diplomatic Enclave | Delhi
Ā 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Ā 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Ā 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Ā 
Transcript: #StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
Ā 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Ā 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
Ā 
Scaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationScaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organization
Ā 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Ā 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Ā 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Ā 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Ā 
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: Whatā€™s new for BISAC - Tech Forum 2024
Ā 

BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercepted? A look at three million real-world SSL incidents

  • 1. Mobile SSL Interception in the Wild Where, how, and why? Alban Diquet Thomas Sileo Data Theorem BlueHat 2017
  • 2. Mobile SSL Interception ā€¢ Analyzed 10 million ā€œSSL incident" reports ā€¢ Sent by mobile devices all around the world ā€¢ What did we ļ¬nd?
  • 4. Agenda ā€¢ Data collection methodology ā€¢ Data set and analysis of forged SSL certiļ¬cates ā€¢ Results of the analysis ā€¢ Conclusion
  • 6. TrustKit ā€¢ Open-source library for SSL reporting and pinning ā€¢ Released for iOS in 2015 and for Android earlier this year ā€¢ https://github.com/datatheorem/TrustKit ā€¢ Makes it easy to monitor and improve the security of the appā€™s network connections
  • 7. SSL Pinning ā€¢ Hardcode in the app the SSL public key(s) to be expected to be used by the appā€™s server(s)
  • 11. SSL Pinning ā€¢ Hardcode in the app the SSL public key(s) to be expected to be used by the appā€™s server(s)
  • 12. SSL Pinning ā€¢ Hardcode in the app the SSL public key(s) to be expected to be used by the appā€™s server(s) // Initialize TrustKit NSDictionary *trustKitConfig = @{ kTSKPinnedDomains: @{ @"www.datatheorem.com" : @{ kTSKPublicKeyHashes : @[ @"lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=", @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=", ] }}}; [TrustKit initializeWithConfiguration:trustKitConfig];
  • 13. SSL Pinning ā€¢ Hardcode in the app the SSL public key(s) to be expected to be used by the appā€™s server(s) // Initialize TrustKit NSDictionary *trustKitConfig = @{ kTSKPinnedDomains: @{ @"www.datatheorem.com" : @{ kTSKPublicKeyHashes : @[ @"lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=", @"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=", ] }}}; [TrustKit initializeWithConfiguration:trustKitConfig];
  • 14. SSL Reporting ā€¢ Send a report whenever an SSL error occurred ā€¢ Gives an overview of "SSL incidents" around the world ā€¢ Helps understanding connection errors across the user base ā€¢ Helps making a decision on whether to deploy SSL pinning ā€¢ Useful to all apps
  • 15. SSL Incident ā€¢ Default SSL validation error ā€¢ Name mismatch, expired certiļ¬cate, untrusted CA, etc. ā€¢ Pinning validation error App Server
  • 16. SSL Reporting { "app-bundle-id": "com.datatheorem.testtrustkit", "app-version": ā€œ1.2", "app-vendor-id": "599F9C00-92DC-4B5C-9464-7971F01F8370", "app-platform": "IOS", "trustkit-version": ā€œ1.5.3", "hostname": "www.datatheorem.com", "port": 443, "noted-hostname": "datatheorem.com", "include-subdomains": true, "enforce-pinning": true, "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "date-time": "2015-06-08T01:58:05Z", "known-pins": [ "pin-sha256="rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="", "pin-sha256="TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY="" ], "validation-result": 1 }
  • 17. SSL Reporting ā€¢ Any domain can be conļ¬gured in TrustKit for where the reports should be sent ā€¢ Data Theorem hosts one for free that developers can leverage ā€¢ Reporting dashboard to see trends and inspect individual reports ā€¢ Notiļ¬cations for when something unexpected happens ā€¢ Suspicious actor ā€¢ Spike in reports
  • 18. Demo
  • 19. Data Set and Report Classiļ¬cation
  • 20. The Data Set ā€¢ 10 million reports from 2 million devices in 2 years ā€¢ From apps conļ¬gured to use Data Theoremā€™s reporting server ā€¢ Mostly from iOS devices ā€¢ 70% of the reports came from the USā€Ø
  • 21. The Data Set ā€¢ From nearly 2 000 diļ¬€erent apps ā€¢ Banking ā€¢ Shopping ā€¢ Music/streaming ā€¢ News Top Platform iOS 93.3% Android 5.3% macOS 1% tvOS 0.4%
  • 22. The Data Set Top Countries US 71% GB 9.5% TW 7.3% CA 1.8% HK 1.3%
  • 23. The Data Set ā€¢ 3.3 million unique certiļ¬cate chains ā€¢ 38% of the certiļ¬cate are self-signed ā€¢ 78% of the certiļ¬cate matched the hostname Certiļ¬cate chain depth 2 62.2% 3 24% 1 11.4% 4 1.8% 5 0.5% 6 0.001%
  • 24. Report Classiļ¬cation ā€¢ Use diļ¬€erent heuristics to ļ¬nd the root cause ā€¢ By looking at the content of the report, mainly the certiļ¬cate chain ā€¢ Save some metadata along with the server date ā€¢ Contact the server for the hostname that was in the report, to fetch its certiļ¬cate chain
  • 25. Report Classiļ¬cation ā€¢ Re-verify the certiļ¬cate chain ā€¢ Set of rules that can target: ā€¢ A speciļ¬c certiļ¬cate or a speciļ¬c public key ā€¢ Any certiļ¬cate ļ¬elds (Common Name, etc.)
  • 26. Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata
  • 27. Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata
  • 28. Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata
  • 29. Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata
  • 30. Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata == misconļ¬guration / certiļ¬cate_chain_valid
  • 31. Report Classiļ¬cation { "app-bundle-id": "com.datatheorem.pin_misconfig", "hostname": "www.datatheorem.com", "date-time": "2017-05-12T06:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 1, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-12T06:00:25Z", } raw report report metadata unknown / to_review !=
  • 32. Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.coporate_proxy", "hostname": "www.datatheorem.com", ā€œvalidated-certificate-chainā€: [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": ā€œā€¦", raw report
  • 33. { "app-bundle-id": ā€œcom.datatheorem.coporate_proxy", "hostname": "www.datatheorem.com", ā€œvalidated-certificate-chainā€: [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": ā€œā€¦", Report Classiļ¬cation raw report
  • 34. { "app-bundle-id": ā€œcom.datatheorem.coporate_proxy", "hostname": "www.datatheorem.com", ā€œvalidated-certificate-chainā€: [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": ā€œā€¦", Report Classiļ¬cation raw report
  • 35. Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.coporate_proxy", "hostname": "www.datatheorem.com", ā€œvalidated-certificate-chainā€: [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "date-time": "2017-03-03T21:27:12Z", "validation-result": 1, "...": ā€œā€¦", { "certificate_chain_infos": [ {"issuer": {"common_name":"Fortigate CA", ā€œā€¦": [ā€¦], raw report certiļ¬cate chain info
  • 36. Report Classiļ¬cation corporate_appliance / Fortinet corporate_appliance: Fortinet: leaf: - !IssuerCommonName 'FortiGate CA' { "certificate_chain_infos": [ {"issuer": {"common_name":"Fortigate CA", ā€œā€¦": [ā€¦], certiļ¬cate chain info classiļ¬er ruleset
  • 37. Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.bad_device_clockā€, "hostname": "www.datatheorem.com", "date-time": "2017-03-14T04:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 2, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-22T04:00:54Z", } raw report report metadata
  • 38. Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.bad_device_clockā€, "hostname": "www.datatheorem.com", "date-time": "2017-03-14T04:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 2, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-22T04:00:54Z", } raw report report metadata
  • 39. Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.bad_device_clockā€, "hostname": "www.datatheorem.com", "date-time": "2017-03-14T04:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 2, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-22T04:00:54Z", } raw report report metadata
  • 40. Report Classiļ¬cation { "app-bundle-id": ā€œcom.datatheorem.bad_device_clockā€, "hostname": "www.datatheorem.com", "date-time": "2017-03-14T04:00:22Z", "validated-certificate-chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "validation-result": 2, "ā€¦": [ā€¦], "ā€¦": [ā€¦], "server_certificate_chain": [ "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", ā€œ-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----n[ā€¦]n-----END CERTIFICATE-----" ], "received_atā€: ā€œ2017-05-22T04:00:54Z", } raw report report metadata misconļ¬gured_device / bad_clock
  • 43. Classiļ¬cation Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconļ¬g 0.5% Server Misconļ¬g 4.3%
  • 44. Previous Work ā€¢ Data from Chrome desktop for google.com:
  • 45. Classiļ¬cation Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconļ¬g 0.5% Server Misconļ¬g 4.3%
  • 46. Classiļ¬cation Categories 9 195 807 reports Server Misconļ¬g 4.3%
  • 47. Server Misconļ¬guration ā€¢ Category for servers with misconļ¬gured SSL certiļ¬cates ā€¢ Right now only one subcategory: expired certiļ¬cates ā€¢ For example, huge spike of report when a certiļ¬cate deployed in production expired:
  • 48. Classiļ¬cation Categories 9 195 807 reports Captive Portals 11% Not Reviewed Yet 6% Unknown 2.5% Client Clock Misconļ¬g 0.5% Server Misconļ¬g 4.3%
  • 49. Classiļ¬cation Categories 9 195 807 reports Spyware 39% Pins Misconļ¬g 34% Captive Portals 11% Not Reviewed Yet 6% Server Misconļ¬g 4.3% Corp Networks 2.2% Unknown 2.5% Client Clock Misconļ¬g 0.5% Dev Artifacts 0.5%
  • 50. Classiļ¬cation Categories 9 195 807 reports Spyware 39% Pins Misconļ¬g 34% Dev Artifacts 0.5% Corp Networks 2.2%
  • 51. Classiļ¬cation Categories 9 195 807 reports Corp Networks 2.2%
  • 53. Classiļ¬cation Categories 9 195 807 reports Spyware 39% Pins Misconļ¬g 34% Dev Artifacts 0.5% Corp Networks 2.2%
  • 54. Classiļ¬cation Categories 9 195 807 reports Dev Artifacts 0.5%
  • 56. Classiļ¬cation Categories 9 195 807 reports Spyware 39% Pins Misconļ¬g 34% Dev Artifacts 0.5% Corp Networks 2.2%
  • 57. Classiļ¬cation Categories 9 195 807 reports Pins Misconļ¬g 34%
  • 58. Pins Misconļ¬guration ā€¢ The SSL pins hardcoded in the app do not match the serverā€™s certiļ¬cate chain ā€¢ With enforcement disabled: ā€¢ The app still works but is constantly sending reports ā€¢ With enforcement enabled: ā€¢ The appā€™s connections will fail
  • 60. ā€œOn a Thanksgiving Day, November 24, 2016 an emergency has occurred. Customers of Barclays Bank, which were users of mobile banking application, were unable to perform any transactions due to pinning the outdated intermediate certiļ¬cate in the application.ā€
  • 62. ā€œSeveral thousands of customers of small and medium-sized businesses, operating mostly in the UK market, will not be able to perform any transactions from 8.30 a.m. 25/11/16 on a "Black Friday" and during the holiday shopping period. This will affect hundreds of thousands of customer's transactions, until the application is updated, and then released again.ā€
  • 63. Pins Misconļ¬guration ā€¢ 22% of apps with more than 30% of misconļ¬guration issues ā€¢ Pressure on mobile developers to implement SSL pinning in their apps ā€¢ From security teams, bug bounties, etc. ā€¢ But most apps do not need it ā€¢ Requires not just code changes but also very good processes around server SSL keys
  • 64. Global Categories 9 195 807 reports Spyware 39% Pins Misconļ¬g 34% Server Misconļ¬g 4.3% Dev Artifacts 0.5% Corp Networks 2.2%
  • 65. Classiļ¬cation Categories 9 195 807 reports Spyware 39%
  • 66. Spyware Categories Market Intelligenceā€Ø 3 580 078 reports Ad Blockerā€Ø 18 463 reports Parental Controlā€Ø 10 820 reports
  • 67. Spyware Categories Market Intelligenceā€Ø 3 580 078 reports MobileXpression 91% Digital Reļ¬‚ection 4% Verto Analytics 3.3% Luth 1.4% AnalyzeMe 0.3% Ad Blockerā€Ø 18 463 reports Parental Controlā€Ø 10 820 reports
  • 68. Spyware - Market Intel ā€¢ Mainly investigated MobileXpression and Digital Reļ¬‚ection ā€¢ Large number of reports across ~20 000 devices
  • 70. Demo
  • 72. What Happened? ā€¢ A conļ¬guration proļ¬le was installed on the device ā€¢ With an always-on VPN conļ¬g ā€¢ To route all traļ¬ƒc through the MobileXpression server ā€¢ With a custom root CA added to the deviceā€™s trust store ā€¢ To allow traļ¬ƒc decryption by the MobileXpression server MobileXpression VPN App Server
  • 73. MobileXpression? ā€œMobileXpression is a service of comScore, Inc., a global leader in measuring the digital world, providing insights into consumer behavior and attitudes.ā€
  • 74. ComScore ā€œThis capability is based on a massive, global cross-section of approximately 2 million consumers, who have allowed comScore to collect their online browsing, hardware and application usage, and purchasing behavior.ā€
  • 75. ComScore ā€¢ Owner of several ā€œmarket researchā€ apps ā€¢ MobileXpression, Digital Reļ¬‚ection ā€¢ Promise users rewards (gif cards, etc.) for installing the app and conļ¬guration proļ¬le
  • 76. ComScore ā€¢ Owner of several ā€œmarket researchā€ apps ā€¢ MobileXpression, Digital Reļ¬‚ection ā€¢ Promise users rewards (gif cards, etc.) for installing the app and conļ¬guration proļ¬le
  • 77. ComScore ā€¢ Inspect/decrypt all the usersā€™ traļ¬ƒc to measure app usage ā€¢ ComScoreā€™s business model as a "measurement companyā€
  • 78. Spyware - Market Intel ā€¢ Conļ¬guration proļ¬les are problematic ā€¢ Highly technical security warnings when installing the proļ¬le ā€¢ The proļ¬le/VPN does not get uninstalled when removing the app ā€¢ Makes sense from a technical perspective but will confuse users ā€¢ But not an easy issue to ļ¬x ā€¢ Corporate enrollment / MDM use case ā€¢ A proļ¬le can be installed directly via Safari ā€¢ Banning the spyware app from the store does not prevent it
  • 79. Spyware Categories Market Intelligenceā€Ø 3 580 078 reports Ad Blockerā€Ø 18 463 reports Parental Controlā€Ø 10 820 reports
  • 80. Spyware Categories Market Intelligenceā€Ø 3 580 078 reports Parental Controlā€Ø 10 820 reports Ad Blockerā€Ø 18 463 reports Defend My WiFi 59% AdBl0ck 34% AdGuard 7%
  • 81. Spyware - Ad Blocker ā€¢ Similar technical implementation with a VPN and custom CA ā€¢ Defend My WiFi ā€¢ "Automatically turns public Wi-Fi into safe and secure private WiFiā€ ā€¢ Company does not exist anymore? ā€¢ Adblock Mobile ā€¢ iOS 8: SSL mitm on ad domains only ā€¢ iOS 9+: No more custom CA installed
  • 82. Spyware Categories Market Intelligenceā€Ø 3 580 078 reports Ad Blockerā€Ø 18 463 reports Parental Controlā€Ø 10 820 reports
  • 83. Spyware Categories Market Intelligenceā€Ø 3 580 078 reports Ad Blockerā€Ø 18 463 reports Parental Controlā€Ø 10 820 reports Qustodio 74% Accountable2You 24% Circle Go 2%
  • 84. Spyware - Parental Control ā€¢ Qustodio, Accountable2You, Circle Go ā€¢ Parental control/monitoring tools
  • 86. What did we see? ā€¢ Traļ¬ƒc interception does happen, and for many reasons ā€¢ Usually not malicious ā€¢ Employers ā€¢ Users ā€œwillinglyā€ sharing their data for a reward ā€¢ No visible move from Apple and Google on this ā€¢ Similarities and diļ¬€erences compared to previous work on the web/desktop (Google, Facebook, Cloudļ¬‚are)
  • 87. What do we do? ā€¢ Which group does your app belong to? ā€¢ It is acceptable to expose the userā€™s data to ā€œlawful interceptionā€ (such as the userā€™s employer) ā€¢ Games, Business apps ā€¢ The userā€™s data is private and can never be exposed ā€¢ Mobile banking ā€¢ Can be technically enforced via SSL pinning
  • 88. What do we do? ā€¢ More options on mobile compared to the web ā€¢ SSL reporting helps you understand what is happening across your user base ā€¢ SSL pinning can be used for sensitive apps ā€¢ Signiļ¬cant burden and risk of catastrophic failure ā€¢ Must be decided and planned carefully ā€¢ Does not prevent reverse-engineering of your app