A technique to circumvent SSL/TLS validations on iOS devices |
| |
Affiliation: | 1. Department of Computer Science and Engineering, Ewha Womans University, Seoul, South Korea;2. Department of Computer Science and Electrical Engineering, University of Maryland, Baltimore County, Baltimore, MD, USA |
| |
Abstract: | SSL/TLS validations such as certificate and public key pinning can reinforce the security of encrypted communications between Internet-of-Things devices and remote servers, and ensure the privacy of users. However, such implementations complicate forensic analysis and detection of information disclosure; say, when a mobile app breaches user’s privacy by sending sensitive information to third parties. Therefore, it is crucial to develop the capacity to vet mobile apps augmenting the security of SSL/TLS traffic. In this paper, we propose a technique to bypass the system’s default certificate validation as well as built-in SSL/TLS validations performed in iOS apps. We then demonstrate its utility by analysing 40 popular iOS social networking, electronic payment, banking, and cloud computing apps. |
| |
Keywords: | Certificate and public key validation MiTM Security iOS security SSL pinning OpenSSL |
本文献已被 ScienceDirect 等数据库收录! |
|