Date post: | 07-Jul-2018 |
Category: |
Documents |
Upload: | jiahaoliuliu |
View: | 220 times |
Download: | 0 times |
of 11
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
1/11
PUBLIC KEY PINNING
Android security by jiahaoliuliu
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
2/11
INDEX
What is it?
How to implement it?
Demo
Do and don’ts
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
3/11
ME
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
4/11
WHAT’S IT
Source: http://oscarpadial.com/como-evaluar-la-configuracion-ssl/
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
5/11
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
6/11
WHAT’S IT?
Relies on SSL certificate
Contains the public key of the server
openssl s_client -connect random.org:443 | openssl x509 -pubkey -noout
The public key is pinned(saved) in the client
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
7/11
IMPLEMENTATION
• Based on TrustManager
• Use HurlStack in Volley
TrustManager tm[] = {new PublicKeyManager()};
sslContext = SSLContext.getInstance(“TLS”);
sslContext.init(null, tm, null)
HurlStack hulStack = newHullStack(null,sslContext.getSocketFactory());
Volley.newRequestQueue(this, hurlstack).add(jsonObjectRequest);
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
8/11
PUBLIC KEY MANAGER
• Contains public key as string• Request the certificate on init
1. Extract the public key
2. Compare
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
9/11
https://github.com/jiahaoliuliu/PublicKeyPinning
Demo
https://github.com/jiahaoliuliu/PublicKeyPinning
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
10/11
DO & DON’T
Do
High security risk
Banking applications
Don’t
Frequent changes on SSL certificate
Speed over security
8/19/2019 Public Key Pinning - Jiahaoliuliu - DroidCon2016
11/11
@jiahaoliuliu
Questions
mailto:[email protected]