Collaborate Disseminate
To implement Cert Pinning on a native mobile app on (e.g. iOS), a new API end-point is being established (e.g. api.example.com). This URL will be setup with a self-signed SSL certificate.
This API end-point URL is meant to b… Continue reading Cert Pinning on mobile app – does it really require a public SSL cert on the server side?
As certificates have expiration dates, the pinned certificate of the server will eventually have to be replaced. This process generally calls for some application/client side update to make the client aware of the new certificate ‘to pin’.
Are there best-practices on how this transition/change can be managed?
I’m thinking of something more sophisticated than two people pressing a button at the same time (i.e. the server cert being updated and the application forcing the user to update)… The organisational processes involved here can be non-trivial, especially since the release and maintenance cycles of client/server/operations might be running according to different schedules and priorities.
Maybe something like (I’m just writing down a rather naive approach here):
–> This would allow new ‘pinned’ certificates for a server to be delivered well in advance of actually switching certificates on the server.
Continue reading SSL Pinning: Managing changes in the pinned certification on client side
I am using this Cordova plugin to implement SSL pinning in an Android application.
I don’t know how to simulate the environment for testing if it’s working fine.
The infosec team in my firm is telling me that if the connect… Continue reading How to simulate environment for testing whether SSL pinning is working fine in an Android application?
A remote code execution in Firefox caused by the expiration of certificate pins was patched by Mozilla in Firefox 49 and Firefox ESR 45.4. Continue reading Mozilla Patches Certificate Pinning Vulnerability in Firefox
Mozilla is expected tomorrow to patch a critical certificate pinning vulnerability in Firefox’s automated update process for extensions. Continue reading Mozilla Patching Firefox Certificate Pinning Vulnerability
Google last week announced changes in the way it will handle trusted Certificate Authorities in Nougat, the latest version of the Android operating system. Continue reading Google Updates CA Trust Mechanisms in Android Nougat
A security researcher could have stolen as much as $25 Billion from one of the India’s biggest banks ‒ Thanks to the bank’s vulnerable mobile application.
Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just
Continue reading Hacker finds flaws that could let anyone steal $25 Billion from a Bank
Does WhatsApp use certificate pinning? I found a post by Preatorian Security from February 2014 that points the lack of certificate pinning as a major security problem, and mentions:
Update 02/21/2014: WhatsApp is activel… Continue reading Does WhatsApp use certificate pinning?
I’m just learning the iOS security. This is completely a beginner question.
I’m trying to figure out whether there is any particular way to check if an iOS app is implementing SSL Pinning functionality.
I’ve currently checked the SSL tra… Continue reading Is there any way or tool to check whether a particular iOS app is implementing SSL Pinning functionality?
I read in the OWASP cheat sheet regarding certificate / public-key pinning that “Google rotates its certificates … about once a month … [but] the underlying public keys … remain static”.
Increasing the fre… Continue reading What is the purpose of frequently rotating TLS certificates without changing underlying keys?