Presentation Material
Abstract
Mobile SSL Failures Failure to validate Certificate Authorities - Approximately 40 well-known apps Failure to validate Certificate Hostnames - Approximately 40 well-known apps Failure to encrypt at all - Tens of millions passwords and credit cards Recent FTC settlement related to this topic Review of why physical security isn’t assured with mobile - Smudge attacks
- No screen lock
- Screen lock bypass - Creating invisible MitM attacks
- Creating persistent MitM attacks SSL Session caching exploit A fool-proof defensive coding approach We will discuss how prevalent SSL certificate validation failures are in very popular applications. We will show how some popular applications failed to encrypt traffic at all resulting in the leakage of tens of millions of users’ data. We will cover recent U.S. Government penalties that companies who fail to protect data may be subject to. We will discuss a new attack, that is particular applicable to mobile and especially on the Android platform, which potentially allows for a persistent MitM attack that is undetectable on the device itself. Lastly, we will cover how organizations can implement a fool-proof method to protect themselves against this mistake.