Mitigating man-in-the-middle attacks on smartphones - A discussion of SSL pinning and DNSSec

Proceedings of 12th Australian Information Security Management Conference, AISM 2014

Volumn , Issue , 2014, Pages 5-13

  Moonsamy, Veelasha ^a   Batten, Lynn ^a  

^a DEAKIN UNIVERSITY   (Australia)

Author keywords

DNS; DNSSec; MiTM; Smartphone; SSL; SSL pinning

Indexed keywords

INDUSTRIAL MANAGEMENT; MALWARE; NETWORK SECURITY; SECURITY OF DATA; SIGNAL ENCODING;

APPLICATION DEVELOPERS; CERTIFICATION TESTS; DEVELOPMENT STAGES; DNSSEC; MAN IN THE MIDDLE ATTACKS; MARKET RESEARCHES; MITM; SSL PINNING;

SMARTPHONES;

EID: 85001085799     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.4225/75/57b65a25343ce     Document Type: Conference Paper

References (16)

1. Andzakovic, D. (2014, May). Bypassing SSL Pinning on Android via Reverse Engineering. Retrieved from Security-assessment.com: http://packetstorm.interhost.co.il/papers/general/android-sslpinning.pdf
2. Clark, J., & van Oorschot, P. C. (2013). SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. Proceedings of 2013 IEEE Symposium on Security and Privacy, (pp. 1-15). California.
3. Codenomicon. (2014, April). The Heartbleed Bug. Retrieved from HeartBleed Bug: http://heartbleed.com/
4. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., & Smith, M. (2012). Why Eve and Mallory love Android: an analysis of Android SSL (in)security. Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), (pp. 50-61). North Carolina.
5. Fahl, S., Harbach, M., Perl, H., Koetter, M., & Smith, M. (2013). Rethinking SSL Development in an Appified World. Proceedings of the 20th ACM Conference on Computer and Communications Security (ACM CCS 2013), (pp. 1-12). Berlin.
6. Fetzer, C., & Jim, T. (2004). Incentives and Disincentives for DNSSEC Deployment.
7. IDC. (2014, January). Worldwide Smartphone Shipments Top One Billion Units for the First Time, According to IDC. Retrieved from IDC: http://www.idc.com/getdoc.jsp?containerId=prUS24645514
8. Kaufman, C. (1997, January). Domain Name System Security Extensions. Retrieved from http://tools.ietf.org/html/rfc2065
9. Linux. (2003). Zone Files. Retrieved from Linux Reference Guide: BIND: http://tiny.cc/punshx
10. Marlinspike, M. (2009). SSL Strip. Retrieved from http://www.thoughtcrime.org/software/sslstrip/
11. Mockapetris, P. (1987, November). Domain Names - Implementation and Specification. Retrieved from http://www.ietf.org/rfc/rfc1035.txt
12. Ogden, M. (2012, September ). Building WebView Applications. Retrieved from http://maxogden.com/building-webview-applications.html
13. Pfeifer, G., Fetzer, C., & Jim, T. (2005). Using SSL For Secure Domain Name System (DNS) Transactions. Transactions of the Technical University of Ostrava, No.2, pp.101-106.
14. Richter, F. (2013, November). Global Smartphone Traffic to Increase 10X by 2019. Retrieved from Statista: http://www.statista.com/chart/1617/global-smartphone-traffic/
15. Schwartz, M. J. (2014, February). Apple SSL Vulnerability: 6 Facts. Retrieved from Dark Reading: http://www.darkreading.com/vulnerabilities-and-threats/apple-ssl-vulnerability-6-facts/d/d-id/1113992
16. Tendulkar, V., & Enck, W. (2014). An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities. Proceedings of the 2014 Mobile Security Technologies (MoST 2014), (pp. 1-10). California.