Security Through Obscurity... powered by Transport Layer Encryption!

Peter Frühwirt, SBA ResearchSebastian Schrittwieser, FH St. Pölten

SSL != protection against protocol analysis

SSL interception enables man-in-the-middle attacks

for protocol analysis purposes

transport layer encryption cannot replace good protocol design!

Certificates?

http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c

Quizduell

highly popular in Austria

highly popular in Austria

Let’s play a round of Quizduell ;)

Photoswap

for=i=in={1..112711};=do=wget=.k=http://www.fototausch.app.de/images/$i.jpg;=done

(iP)_ACF814E4E7914DECAA91DE3336F2C9D9-20140318062452.jpg

(WP)_WByn38Nd8wLfPoHQd3PzHbf2P9E_3d-20140318102034.jpg

357506057844677-20140318102050.jpg

hardware ID time stampphone type

IMEI

(iP)_ACF814E4E7914DECAA91DE3336F2C9D9-20140318062452.jpg

(WP)_WByn38Nd8wLfPoHQd3PzHbf2P9E_3d-20140318102034.jpg

357506057844677-20140318102050.jpg

hardware ID time stampphone type

IMEI

download pictures

delete picture

Countermeasures?

Certificate Pinning

Verification if particular certificate is used

Reduced costs

Increased security

Less flexibility

75 %

25 %

certificate pinningno certificate pinning

Facebook

Facebook Messenger

Shazam

eBay

ÖBB Scotty

AntiVirus Security

Tango

Google Earth

LOVOO

Geizhals

Geizhals

Stocard

AutoScount24wetter.com

Twitter

LogoQuizWhatsapp

Snapchat

Tinder

NavigonRuntastic

iMessage

Quizduell

AppStore

Viber

Hike

Rublys

Quizduell

never ever trust the client (even if it’s your own client)!

server-side validation of every client request

(the 80’s called and want their advice back)

secure side channel

establish a trusted second channel

Conclusions

‣ Many smartphone applications implement insecure protocols

‣ These protocols are hidden behind transport encryption, which does not prevent protocol analysis

‣ Don’t rely on Security through Obscurity