Level: Technical

Workshop:
In this workshop we’ll be covering certificate pinning (some focus on mobile applications). We’ll be discussing trade-offs of different pinning strategies, and how they can be bypassed. There will be a significant practical component covering what was discussed.

• Introduction
  • What is certificate pinning?
  • Why should you always pin?
  • Where and what to pin?
• So… how should you pin?
  • iOS
  • Android
• Exercises (all involve bypassing certificate pinning)
  • Patching / Re-packaging / Re-signing an Android APK
  • Code review
  • Runtime instrumentation with Frida

What to bring:

• You’ll need a system (*NIX or Windows) with the following installed and working:
  • ADB
  • unzip
  • zipalign
  • apktool
  • jd-gui (or your Java decompiler of choice)
  • dex2jar
  • frida (pip install frida; frida –version)
  • Burp Suite (or your HTTP proxy of choice)
  • Text editor of your choice
  • Genymotion Android Emulator
• If you can, bring your own rooted Android device (anything above 5.1 should work)

Bio:
Jose Lopes is currently a Senior Security Consultant at Nettitude Ltd. He specialises in application and software security – mainly mobile applications and thick clients. His interests include reverse engineering, privacy, and going fast on motorcycles.

Posted on Monday, February 19th, 2018 at 10:07 AM in workshops | rss feed for comments| Both comments and pings are currently closed.