public key pinning - jiahaoliuliu - droidcon2016
TRANSCRIPT
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
1/11
PUBLIC KEY PINNING
Android security by jiahaoliuliu
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
2/11
INDEX
What is it?
How to implement it?
Demo
Do and don’ts
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
3/11
ME
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
4/11
WHAT’S IT
Source: http://oscarpadial.com/como-evaluar-la-configuracion-ssl/
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
5/11
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
6/11
WHAT’S IT?
Relies on SSL certificate
Contains the public key of the server
openssl s_client -connect random.org:443 | openssl x509 -pubkey -noout
The public key is pinned(saved) in the client
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
7/11
IMPLEMENTATION
• Based on TrustManager
• Use HurlStack in Volley
TrustManager tm[] = {new PublicKeyManager()};
sslContext = SSLContext.getInstance(“TLS”);
sslContext.init(null, tm, null)
HurlStack hulStack = newHullStack(null,sslContext.getSocketFactory());
Volley.newRequestQueue(this, hurlstack).add(jsonObjectRequest);
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
8/11
PUBLIC KEY MANAGER
• Contains public key as string• Request the certificate on init
1. Extract the public key
2. Compare
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
9/11
https://github.com/jiahaoliuliu/PublicKeyPinning
Demo
https://github.com/jiahaoliuliu/PublicKeyPinning
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
10/11
DO & DON’T
Do
High security risk
Banking applications
Don’t
Frequent changes on SSL certificate
Speed over security
-
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
11/11
@jiahaoliuliu
Questions
mailto:[email protected]