A technique to circumvent SSL/TLS validations on iOS devices

Future Generation Computer Systems

Volumn 74, Issue , 2017, Pages 366-374

  D'Orazio, Christian J ^a   Choo, Kim Kwang Raymond ^a,b,c  

^a UNIVERSITY OF SOUTH AUSTRALIA   (Australia)

^b UNIVERSITY OF TEXAS AT SAN ANTONIO   (United States)

^c CHINA UNIVERSITY OF GEOSCIENCES   (China)

Author keywords

Certificate and public key validation; iOS security; MiTM; OpenSSL; Security; SSL pinning

Indexed keywords

IOS (OPERATING SYSTEM); PUBLIC KEY CRYPTOGRAPHY; SOCIAL SCIENCES COMPUTING;

IOS SECURITY; MITM; OPEN SSL; PUBLIC KEYS; SECURITY; SSL PINNING;

MOBILE SECURITY;

EID: 84994744881     PISSN: 0167739X     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.future.2016.08.019     Document Type: Article

References (41)

1. B. Fonseca, VeriSign issues false Microsoft digital certificates, 23 March, IT World Canada, viewed 22 March 2016, 2001. http://www.itworldcanada.com/article/verisign-issues-false-microsoft-digital-certificates/30200.
2. R. Naraine, Adobe code signing infrastructure hacked by ‘sophisticated threat actors’, 27 September, ZDNet, viewed 9 March 2016, 2012. http://www.zdnet.com/article/adobe-code-signing-infrastructure-hacked-by-sophisticated-threat-actors/.
3. J. Segura, Digital certificates and malware: a dangerous mix, 4 February, Malwarebytes LABS, viewed 9 March 2016, 2013. https://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/.
4. S. Ragan, VeriSign working to mitigate Stuxnet digital signature theft, 21 July, The Tech Herald, viewed 9 March 2016, 2010. http://www.thetechherald.com/articles/VeriSign-working-to-mitigate-Stuxnet-digital-signature-theft/10818/.
5. L.-S. Huang, A. Rice, E. Ellingsen, C. Jackson, Analyzing forged SSL certificates in the wild, in: Proceedings of the IEEE Symposium on Security and Privacy, Washington, DC, USA, 2014, pp. 83–97.
6. V. Moonsamy, L. Batten, Mitigating man-in-the-middle attacks on smartphones–a discussion of SSL pinning and DNSSec, in: Proceedings of the Australian Information Security Management Conference, Perth, WA, 2014, pp. 5–13.
7. S. Fahl, M. Harbach, H. Perl, M. Koetter, M. Smith, Rethinking SSL development in an appified world, in: Proceedings of the ACM SIGSAC Conference on Computer & Communications Security, NY, USA, 2013, pp. 49–60.
8. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, V. Shmatikov, The most dangerous code in the world: Validating SSL certificates in non-browser software, in: Proceedings of the ACM Conference on Computer & Communications Security, NY, USA, 2012, pp. 38–49.
9. L. Onwuzurike, E. De Cristofaro, Short: Danger is my middle name–experimenting with SSL vulnerabilities in android apps, in: Proceedings of the ACM Conference on Security & Privacy in Wireless and Mobile Networks, NY, USA, 2015, Article 15.
10. D. Berbecaru, A. Lioy, M. Marian, On the complexity of public-key certificate validation, in: Proceeding of the Information Security Conference, ISC, Malaga, Spain, 2001, pp. 183–203.
11. G. Keizer, Solo Iranian hacker takes credit for Comodo certificate attack, 27 March, Computerworld, viewed 13 March 2016, 2011. http://www.computerworld.com/article/2507258/security0/solo-iranian-hacker-takes-credit-for-comodo-certificate-attack.html.
12. A. Azfar, K.-K.R. Choo, L. Liu, Forensic taxonomy of popular Android mHealth apps, in: Proceedings of the Americas Conference on Information Systems, Puerto Rico, 2015.
13. M. Plachkinova, S. Andrés, S. Chatterjee, A taxonomy of mHealth apps–security and privacy concerns, in: Proceedings of the Hawaii International Conference on System Sciences, HICSS, Kauai, HI, USA, 2015, pp. 3187–3196.
14. W. Clark, Uber's App is Anything but Malware, 10 December, BETTER, viewed 10 March 2016, 2014. http://better.mobi/2014/12/10/ubers-app-is-anything-but-malware/.
15. N. Rudrappa, Defeat SSL Certificate Validation for Google Android Applications, McAfee, viewed 16 March 2016, 2013. http://www.mcafee.com/us/resources/white-papers/wp-defeating-ssl-cert-validation.pdf.
16. D. Andzakovic, Bypassing SSL Pinning on Android via Reverse Engineering, Security-assessment.com, viewed 16 March 2016, 2014. http://security-assessment.com/files/documents/whitepapers/Bypassing%20SSL%20Pinning%20on%20Android%20via%20Reverse%20Engineering.pdf.
17. F. Sierra, A. Ramirez, Defending your android app, in: Proceedings of the ACM Conference on Research in Information Technology, NY, USA, 2015, pp. 29–34.
18. D. Mayer, Bypass OpenSSL Certificate Pinning on iOS, 7 January, NCC Group, viewed 15 March 2016, 2015. https://www.nccgroup.trust/globalassets/newsroom/us/blog/documents/2015/01/bypassing_openssl_pinning.pdf.
19. I. Dacosta, M. Ahamad, P. Traynor, Trust no one else: Detecting MITM attacks against SSL/TLS without third-parties, in: Proceedings of the European Symposium on Research in Computer Security, Pisa, Italy, 2012, pp. 199–216.
20. A. Bates, J. Pletcher, T. Nichols, B. Hollembaek, D. Tian, K.R.B. Butler, A. Alkhelaifi, Securing SSL certificate verification through dynamic linking, in: Proceedings of the ACM Conference on Computer & Communications Security, NY, USA, 2014, pp. 394–405.
21. J. Clark, P.C. Van Oorschot, SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements, in: Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA, 2013, pp. 511–525.
22. C. Brubaker, S. Jana, B. Ray, S. Khurshid, V. Shmatikov, Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations, in: Proceedings of the IEEE Symposium on Security and Privacy, Washington, DC, USA, 2014, pp. 114–129.
23. S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgärtner, B. Freisleben, Why Eve and Mallory love android: An analysis of android SSL (In)security, in: Proceedings of the ACM Conference on Computer and Communications Security, NY, USA, 2014, pp. 50–61.
24. T. Trummer, T. Dalvi, Mobile SSL failures, in: Blackhat Mobile Security Summit, London, UK, 2015.
25. Damodaran, A., Di Tropia, F., Visaggio, C.A., Austin, T.H., Stamp, M., A comparison of static, dynamic, and hybrid analysis for malware detection. J. Comput. Virol. Hacking Tech., 2015, 1–12.
26. Naval, S., Laxmi, V., Rajarajan, M., Gaur, M.S., Conti, M., Employing program semantics for Malware detection. IEEE Trans. Inf. Forensics Secur., 10(12), 2015.
27. Fan, Y., Ye, Y., Chen, L., Malicious sequential pattern mining for automatic malware detection. Expert Syst. Appl. 52 (2016), 16–25, 10.1016/j.eswa.2016.01.002.
28. Cen, L., Gates, C.S., Si, L., Li, N., A probabilistic discriminative model for Android Malware detection with decompiled source code. IEEE Trans. Dependable Secure Comput. 12:4 (2015), 400–412.
29. J. Ball, J. Borger, G. Greenwald, Revealed: how US and UK spy agencies defeat Internet privacy and security, 6 September, The Guardian, viewed 25 July 2016, 2013. https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security.
30. L. Constantin, Trustwave admits issuing man-in-the-middle digital certificate, Mozilla debates punishment, 9 February, PC World, viewed 25 July 2016, 2012. http://www.pcworld.idg.com.au/article/414755/trustwave_admits_issuing_man-in-the-middle_digital_certificate_mozilla_debates_punishment/.
31. Cisco Systems, Inc., Managing SSL/TLS Traffic Flows, viewed 25 July 2016, 2013. http://www.cisco.com/c/en/us/td/docs/security/asacx/9-1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_01101.pdf.
32. IBM Corporation, IBM Security QRadar Incident Forensics, viewed 25 July 2016, 2014. http://www-03.ibm.com/software/products/en/qradar-incident-forensics.
33. Wu, J., Ota, K., Dong, M., Li, C., A hierarchical security framework for defending against sophisticated attacks on wireless sensor networks in smart cities. IEEE Access 4 (2016), 416–424.
34. He, J., Dong, M., Ota, K., Fan, M., Wang, G., NetSecCC: A scalable and fault-tolerant architecture for cloud computing security. Peer-to-Peer Netw. Appl. 9:1 (2016), 67–81.
35. Yan, J., Wang, L., Dong, M., Yang, Y., Yao, W., Identity-based signcryption from lattices. Secur. Commun. Netw. 8:18 (2015), 3751–3770.
36. Choo, K.-K.R., The cyber threat landscape: Challenges and future research directions. Comput. Secur. 30:8 (2011), 719–731.
37. Choo, K.-K.R., A conceptual interdisciplinary plug-and-play cyber security framework. Kaur, H., Tao, X., (eds.) ICTs and the Millennium Development Goals–A United Nations Perspective, 2014, Springer, New York, USA, 81–99.
38. Cahyani, N.D.W., Martini, B., Choo, K.-K.R., Al-Azhar, M.H., Forensic data acquisition from cloud-of-things devices: Windows smartphones as a case study. Concurr. Comput.: Pract. Exper., 2016, 10.1002/cpe.3855 (in press).
39. D'Orazio, C.J., Choo, K.-K.R., Yang, L.T., Data exfiltration from Internet of things devices: iOS devices as case studies. IEEE Internet Things J., 2016, 10.1109/JIOT.2016.2569094 (in press).
40. Do, Q., Martini, B., Choo, K.-K.R., Is the data on your wearable device secure? An Android wear smartwatch case study. Softw.: Pract. Exp., 2016, 10.1002/spe.2414 (in press).
41. S. Quirolgico, J. Voas, T. Karygiannis, C. Michael, K. Scarfone, Vetting the Security of Mobile Applications, NIST Special Publication 800-163, viewed 17 March 2016, 2015. http://dx.doi.org/10.6028/NIST.SP.800-163.