security through obscuritysecurity through obscurity... powered by transport layer encryption! peter...
TRANSCRIPT
Security Through Obscurity... powered by Transport Layer Encryption!
Peter Frühwirt, SBA ResearchSebastian Schrittwieser, FH St. Pölten
SSL != protection against protocol analysis
SSL interception enables man-in-the-middle attacks
for protocol analysis purposes
transport layer encryption cannot replace good protocol design!
Certificates?
http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c
Quizduell
highly popular in Austria
highly popular in Austria
Let’s play a round of Quizduell ;)
Photoswap
for=i=in={1..112711};=do=wget=.k=http://www.fototausch.app.de/images/$i.jpg;=done
(iP)_ACF814E4E7914DECAA91DE3336F2C9D9-20140318062452.jpg
(WP)_WByn38Nd8wLfPoHQd3PzHbf2P9E_3d-20140318102034.jpg
357506057844677-20140318102050.jpg
hardware ID time stampphone type
IMEI
(iP)_ACF814E4E7914DECAA91DE3336F2C9D9-20140318062452.jpg
(WP)_WByn38Nd8wLfPoHQd3PzHbf2P9E_3d-20140318102034.jpg
357506057844677-20140318102050.jpg
hardware ID time stampphone type
IMEI
download pictures
delete picture
Countermeasures?
Certificate Pinning
Verification if particular certificate is used
Reduced costs
Increased security
Less flexibility
75 %
25 %
certificate pinningno certificate pinning
Facebook Messenger
Shazam
eBay
ÖBB Scotty
AntiVirus Security
Tango
Google Earth
LOVOO
Geizhals
Geizhals
Stocard
AutoScount24wetter.com
LogoQuizWhatsapp
Snapchat
Tinder
NavigonRuntastic
iMessage
Quizduell
AppStore
Viber
Hike
Rublys
Quizduell
never ever trust the client (even if it’s your own client)!
server-side validation of every client request
(the 80’s called and want their advice back)
secure side channel
establish a trusted second channel
Conclusions
‣ Many smartphone applications implement insecure protocols
‣ These protocols are hidden behind transport encryption, which does not prevent protocol analysis
‣ Don’t rely on Security through Obscurity