Level: Technical

In this workshop we’ll be covering certificate pinning (some focus on mobile applications). We’ll be discussing trade-offs of different pinning strategies, and how they can be bypassed. There will be a significant practical component covering what was discussed.

  • Introduction
    • What is certificate pinning?
    • Why should you always pin?
    • Where and what to pin?
  • So… how should you pin?
    • iOS
    • Android
  • Exercises (all involve bypassing certificate pinning)
    • Patching / Re-packaging / Re-signing an Android APK
    • Code review
    • Runtime instrumentation with Frida

What to bring:

  • You’ll need a system (*NIX or Windows) with the following installed and working:
    • ADB
    • unzip
    • zipalign
    • apktool
    • jd-gui (or your Java decompiler of choice)
    • dex2jar
    • frida (pip install frida; frida –version)
    • Burp Suite (or your HTTP proxy of choice)
    • Text editor of your choice
    • Genymotion Android Emulator
  • If you can, bring your own rooted Android device (anything above 5.1 should work)

Jose Lopes is currently a Senior Security Consultant at Nettitude Ltd. He specialises in application and software security – mainly mobile applications and thick clients. His interests include reverse engineering, privacy, and going fast on motorcycles.

Comments are closed.