A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices
| Autor: | Jorge Ropero, Ángel Jesús Varela-Vaca, Alejandro Carrasco, Francisco José Ramírez-López, J. Luque |
|---|---|
| Jazyk: | angličtina |
| Rok vydání: | 2019 |
| Předmět: |
Computer science
General Physics and Astronomy lcsh:Astrophysics 02 engineering and technology Audit security Computer security computer.software_genre Article Android lcsh:QB460-466 0202 electrical engineering electronic engineering information engineering Android (operating system) lcsh:Science vulnerabilities OWASP SSL pinning 020207 software engineering lcsh:QC1-999 Security controls mobile applications auditing lcsh:Q 020201 artificial intelligence & image processing Mobile device computer lcsh:Physics |
| Zdroj: | Entropy Entropy, Vol 21, Iss 12, p 1136 (2019) Volume 21 Issue 12 |
| ISSN: | 1099-4300 |
| Popis: | The use of mobile devices has undergone rapid growth in recent years. However, on some occasions, security has been neglected when developing applications. SSL/TLS has been used for years to secure communications although it is not a vulnerability-free protocol. One of the most common vulnerabilities is SSL pinning bypassing. This paper first describes some security controls to help protect against SSL pinning bypassing. Subsequently, some existing methods for bypassing are presented and two new methods are defined. We performed some experiments to check the use of security controls in widely used applications, and applied SSL pinning bypassing methods. Finally, we created an applicability framework, relating the implemented security controls and the methods that are applicable. This framework provides a guideline for pentesters and app developers. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|
| Nepřihlášeným uživatelům se plný text nezobrazuje | K zobrazení výsledku je třeba se přihlásit. |