WHEN SECURITY GETS IN THE WAY: PENTESTING MOBILE APPS THAT USE CERTIFICATE PINNING presented at BlackHat USA 2012

by Justine Osborne, Alban Diquet,

Tags: Mobile Security Application Security Certificate Pinning

Summary : More and more mobile applications such as the Chrome, Twitter and card.io apps have started relying on SSL certificate pinning to further improve the security of the application\'s network communications. Certificate pinning allows the application to authenticate the application\'s servers without relying on the device trust store. Instead, a white-list of certificates known to be used by the servers is directly stored in the application, effectively restricting the set of certificates the application will accept when connecting to those servers.
While improving the security of end users, not using the device trust store to validate the servers\' identity also makes black-box testing of such apps much more challenging. Without access to the application\'s source code to manually disable certificate validation, the tester is left with no simple options to intercept the application\'s SSL traffic.
We\'ve been working on a set of tools for both Android and iOS to make it easy to defeat certificate pinning when performing black-box testing of mobile apps.
On iOS, a Mobile Subtrate "tweak" has been developed in order to hook at run-time specific SSL functions performing certificate validation. Using Cydia, the "tweak" can easily be deployed on a jailbroken device, allowing the tester to disable certificate validation for any app running on that device in a matter of minutes.
For Android applications, a custom JDWP debugger has been built to perform API hooking tasks. This tool can be easily used on any Android device or emulator that allows USB debugging and application debugging.
This presentation will discuss the techniques we used to create those iOS and Android API hooking tools, common use case scenarios, and demonstrations of the tools in action.