secure communication in
play

Secure Communication in Client-Server Android Apps With a bias - PowerPoint PPT Presentation

Apr 23, 2023 •396 likes •599 views

Secure Communication in Client-Server Android Apps With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, 2016. Convergent Security. whoami Masters Candidate Ethical Hacker Web Developer Jazz fan

  1. Secure Communication in Client-Server Android Apps With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, 2016. “Convergent Security”.

  2. whoami  Masters Candidate  Ethical Hacker  Web Developer  Jazz fan (before Safaricom made everyone a ‘jazz’ fan).  Information Security consultant.  Government and private sector experience.  Former student leader.

  3. USIU Student Government  No demonstrations during our time.  Wanted to create app to solve communication problem.  Needed to convey sensitive information.  CIA was key…but mostly CI.  Should support devices all the way to 1.6. Ideos especially (back then it was the ish).  Corptabs was born.

  4. Agile-ish development.  Lots of Google-Stackoverflowing  Non-secure P.O.C was formed.  Set up SSL on localhost which Android declined.  Purchased SSL certificate from namecheap.  Set it up based on my own knowledge.  Worked only on later Android devices (4.0 and above).  Failed to work on my humble Android 2.1 device.  Back to Google-Stackoverflowing.

  5.  With a web browser, it is generally quite easy to recognize when a third party is tampering with a secure connection. This is due to warning pages presented by browsers when something is fishy with the SSL certificate, such as a certificate that has not been signed by a trusted authority.  Mobile applications, on the other hand, cannot always be counted on to display such a warning or even recognize when something is amiss.

  6. Demo  TrustAllHosts().

  7. Onward  Figured out the problem was the certificate chain and fixed.  These days the certificate chain is no longer a problem. Two intermediate certs in the store.  Now supported almost all Android phones with a $10 certificate.  Hardened server to A+ standard by removing outdated cipher suites and outdated protocols – especially SSL.  This is to protect against SSL Downgrade Attack.

  8. Problems with SSL:  Trusting all Certificates - The TrustManager interface can be implemented to trust all certificates, irrespective of who signed them or even for what subject they were issued.  Trusting many Certificate Authorities (CA)  Allowing all Hostnames  Self-signed server certificate

  9. A+ standard?

  10. F Standard

  11. NoSSLV3  Phone still downgrading to SSLv3.  Mostly when network is low.  Removed SSLv3 with the NoSSLv3 class.  So far so Good.

  12. Success? Not quite. If an intruder still wanted to read the contents being sent to the server, they could.  Install root CA and set up device on proxy server.  How can this be done?   Remotely? Possibly. Finfisher and the likes.  IT Department on Corporate network and corporate phone? Absolutely. “Convergent Security”.  “Can I borrow your phone for a sec?” While on a public network, NO! Demo.  Stolen root intermediate and root certificates (http://wiki.cacert.org/Risk/History)  By default, your App likely validates against all of the CA certificates that ship with  Android, but that means any single compromised CA in the total set can potentially compromise your communication (even if it’s not the CA you’re using) Solution? 

  13. MITM Proxy Demo  In order to be able to observe HTTPS traffic, we install the root CA certificate on the device.  This allows the app to verify certificates that were signed allowing the TLS handshake to happen between the app and Charles.  We then forwards the app’s request to the backend using normal HTTPS protocols.  Demo with live banking app.

  14. Damn…  Customers want apps.  What to do?

  15. Remediation  Certificate pinning done right.  For f*cks sake, hash and salt passwords.  Don’t send password with every request (Guilty as charged).  Use cookies instead (will only support 2.3 and above on Android).  All these solutions available on https://github.com/echebukati/sec- android-post  Constantly check the certificates installed on your device.  Obfuscate URLs.  Demo of soln.

  16. Remediation: Certificate Pinning  Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.  Certificate Pinning can be done two different ways: by pinning the certificate itself, or by pinning just the public key.

  17. Pinning

  18. Future  Do this on a self signed setup.  Improvements as they come.

  19. Thankyou 

  20. Emmanuel Chebukati, CEH, ISA. echebukati@gmail.com

Recommend

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key

Secure Communication Secure Communication Lecture 14 Wrap-Up We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE

1.07k views • 72 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Secure Communication Hacking/Hustling Workshop @ Eyebeam About me Liz! She/Her Electrical

Secure Communication Hacking/Hustling Workshop @ Eyebeam About me Liz! She/Her Electrical

Secure Communication Hacking/Hustling Workshop @ Eyebeam About me Liz! She/Her Electrical Engineer/Embedded developer Teaching for a while Overview Signal is one example of a third-party app for secure texting. Well go over what it does

819 views • 32 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block & stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.) Samuel Ranellucci (Unbound Tech) Xiao Wang (MIT & Boston U.) Secure Computation 4 parties each hold private data. They wish to compute C(x 1

414 views • 24 slides
Secure Vehicular Communication System: Design & Implementation of VPKI (Providing Credential

Secure Vehicular Communication System: Design & Implementation of VPKI (Providing Credential

Secure Vehicular Communication System: Design & Implementation of VPKI (Providing Credential Management in a Secure VANET) Supervisor: MSc Thesis: Prof. Panos Papadimitratos Mohammad Khodaei LCN KTH October, 2012 1 / 38 Outline

519 views • 48 slides
Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation Computation How to Run Sublinear Algorithms in a Distributed Algorithms in a Distributed Setting Elette Boyle Shafi Goldwasser Stefano Tessaro

1.01k views • 36 slides
SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

U U U U U U U- U - - communication - - - - - communication communication communication communication communication communication communication Korea Mobile Market Trend for Convergence & Ubiquitous Communication 2004.

400 views • 16 slides
Joseph Jaeger Igors Stepanovs Alice and Bob want E2E secure communication But what about E2E

Joseph Jaeger Igors Stepanovs Alice and Bob want E2E secure communication But what about E2E

Optimal Channel Security Against Fine-Grained State Compromise: The Safety of Messaging Joseph Jaeger Igors Stepanovs Alice and Bob want E2E secure communication But what about E2E Tools? Plenty of Theory Symmetric encryption Asymmetric

475 views • 18 slides
A survey of Key Management for Secure Group Communication Sandro Rafaeli and David Hutchison

A survey of Key Management for Secure Group Communication Sandro Rafaeli and David Hutchison

A survey of Key Management for Secure Group Communication Sandro Rafaeli and David Hutchison Presented By: Anil Bazaz CS6204, Spring 2005 Intro: Group Communication Uses IP multicast to transmit data Does not limit access to data No

543 views • 19 slides
Distributed Systems Secure Communication Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Secure Communication Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Secure Communication Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Symmetric cryptography Both parties

860 views • 60 slides
Secure Communication by Ratcheting F Bet ul Durak and Serge Vaudenay COLE POLYTECHNIQUE

Secure Communication by Ratcheting F Bet ul Durak and Serge Vaudenay COLE POLYTECHNIQUE

Secure Communication by Ratcheting F Bet ul Durak and Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE SV 2018 ratchet ASK 2018 1 / 43 Secure Communication 1 Ratcheting 2 Our Results 3 SV 2018 ratchet ASK 2018 2 / 43

926 views • 43 slides
Multi Party secure communication C D A B E F N parties want to communicate securely with

Multi Party secure communication C D A B E F N parties want to communicate securely with

1 Key Establishment Chester Rebeiro IIT Madras 2 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If U sends a message to V (U V and U,V {a,b,c,d,e,f})

721 views • 55 slides
All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab

All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab

All wireless communication stacks are equally broken Jiska Classen Secure Mobile Networking Lab - SEEMOO Technische Universitt Darmstadt, Germany A foundation talk??? Wireless communication is fun damentally broken focus: everything in

687 views • 42 slides
You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2

You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2

You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 16 April 2016 1 / 33 Cryptography Motivation

1.01k views • 57 slides
Secure Group Communication Related Issues Presenter: Haiyan Cheng CS 6204, Spring 2005 1

Secure Group Communication Related Issues Presenter: Haiyan Cheng CS 6204, Spring 2005 1

Secure Group Communication Related Issues Presenter: Haiyan Cheng CS 6204, Spring 2005 1 Outlines Addresses relevant security issues for IP multicast network Investigates steps to create secure multicast sessions Group membership

444 views • 19 slides
Error Detection and Correction: Nim; Secure Communication; RAID Greg Plaxton Theory in

Error Detection and Correction: Nim; Secure Communication; RAID Greg Plaxton Theory in

Error Detection and Correction: Nim; Secure Communication; RAID Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin The Game of Nim Initially, there are a number of piles of

361 views • 13 slides
SD-WAN Secure Communication Designs and Vulnerabilities Denis Kolegov @dnkolegov DeepSec 2019

SD-WAN Secure Communication Designs and Vulnerabilities Denis Kolegov @dnkolegov DeepSec 2019

SD-WAN Secure Communication Designs and Vulnerabilities Denis Kolegov @dnkolegov DeepSec 2019 # whoami Ph.d, associate professor at Tomsk State University Principal security researcher at BI.Zone LLC SD-WAN New Hope and AIsec team

1.66k views • 107 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Secure WAN communication for teleworkers. A case study. Presentation at the ICETA 2001, Kosice,

Secure WAN communication for teleworkers. A case study. Presentation at the ICETA 2001, Kosice,

Secure WAN communication for teleworkers. A case study. Presentation at the ICETA 2001, Kosice, Slovak Republic (http://www.fim.uni-linz.ac.at/iceta2001) o. Univ.-Prof. Dr. Jrg R. Mhlbacher Dipl.-Ing. Rudolf Hrmanseder Institute for

595 views • 16 slides
Authentication and technology Secure Communication people Jeff Chase Duke University Where

Authentication and technology Secure Communication people Jeff Chase Duke University Where

Authentication and technology Secure Communication people Jeff Chase Duke University Where are the boundaries of the system that you would like to secure? Where is the weakest link? What happens when the weakest link fails? The First

574 views • 10 slides
Authentication and Secure Communication Jeff Chase Duke University technology people Where

Authentication and Secure Communication Jeff Chase Duke University technology people Where

Authentication and Secure Communication Jeff Chase Duke University technology people Where are the boundaries of the system that you would like to secure? Where is the weakest link? What happens when the weakest link fails? The First

1.19k views • 60 slides
Public Key Cryptography Introduction Foundation of todays secure communication Allows

Public Key Cryptography Introduction Foundation of todays secure communication Allows

Public Key Cryptography Introduction Foundation of todays secure communication Allows communicating parties to obtain a shared secret key Public key (for encryption) and Private key (for decryption) Private key (for digital

1.15k views • 56 slides

More recommend