APPSEC Cali 2018 - Where, how, and why is SSL traffic on mobile getting intercepted?


Abstract :
Over the last two years, we've received and analyzed more than ten million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.

We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.

First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.

Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.

Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.

Alban Diquet is Head of Engineering at Data Theorem, a cloud-enabled scanning service for mobile application security and data privacy. Alban's research focuses on security protocols, data privacy, and mobile security. Alban has released several open-source security tools including SSLyze and iOS SSL Kill Switch and TrustKit. Furthermore, Alban has presented at various security conferences including Black Hat USA, Hack in the Box, and Ruxcon. Prior to joining Data Theorem, Alban was a Principal at iSEC Partners, Inc. Alban received a MS in Computer and Electrical Engineering from the Institut Superieur d'Electronique de Paris in Paris, France, and a MS in Secure and Dependable Computer Systems from Chalmers University, in Gothenburg, Sweden.

Managed by the official OWASP Media Project

APPSEC Cali 2018 - Where, how, and why is SSL traffic on mobile getting intercepted? APPSEC Cali 2018 - Where, how, and why is SSL traffic on mobile getting intercepted? Reviewed by Unknown on March 27, 2018 Rating: 5