Overview
Explore a conference talk from Black Hat USA 2012 that delves into the challenges of penetration testing mobile applications using certificate pinning. Learn about the increasing adoption of SSL certificate pinning by popular apps like Chrome, Twitter, and card.io to enhance network communication security. Discover how this technique authenticates servers without relying on device trust stores, and understand its impact on black-box testing. Gain insights into innovative tools developed for both Android and iOS platforms that enable testers to bypass certificate pinning. Examine the iOS Mobile Substrate "tweak" for run-time SSL function hooking and the custom JDWP debugger for Android API hooking. Understand the techniques used to create these tools, common use case scenarios, and witness live demonstrations of their capabilities in overcoming security obstacles during penetration testing.
Syllabus
Black Hat USA 2012 - When Security Gets in the Way: Pen Testing Apps that use Certificate Pinning
Taught by
Black Hat