Explore a conference talk from Black Hat USA 2012 that delves into the challenges of penetration testing mobile applications using certificate pinning. Learn about the increasing adoption of SSL certificate pinning by popular apps like Chrome, Twitter, and card.io to enhance network communication security. Discover how this technique authenticates servers without relying on device trust stores, and understand its impact on black-box testing. Gain insights into innovative tools developed for both Android and iOS platforms that enable testers to bypass certificate pinning. Examine the iOS Mobile Substrate "tweak" for run-time SSL function hooking and the custom JDWP debugger for Android API hooking. Understand the techniques used to create these tools, common use case scenarios, and witness live demonstrations of their capabilities in overcoming security obstacles during penetration testing.
When Security Gets in the Way - Pen Testing Apps That Use Certificate Pinning
Overview
Syllabus
Black Hat USA 2012 - When Security Gets in the Way: Pen Testing Apps that use Certificate Pinning
Taught by
Black Hat
Related Courses
-
Fun with Frida on Mobile - Leveraging Dynamic Analysis Tools
-
Stick a Pin in Certificate Pinning - How to Inspect Mobile Traffic and Stop Data Exfiltration
-
TrustKit - Code Injection on iOS 8 for the Greater Good
-
Towards a Taxonomy of Network Security Testing Techniques
-
Secrets and Lies: Protecting Mobile Apps Through Cryptography and Obfuscation
-
Abusing Web APIs Through Scripted Android Applications
