Workshop: I’ve got 99 problems but a pin ain’t one (Jose Lopes)
| February 19th, 2018Level: Technical
Workshop:
In this workshop we’ll be covering certificate pinning (some focus on mobile applications). We’ll be discussing trade-offs of different pinning strategies, and how they can be bypassed. There will be a significant practical component covering what was discussed.
- Introduction
- What is certificate pinning?
- Why should you always pin?
- Where and what to pin?
- So… how should you pin?
- iOS
- Android
- Exercises (all involve bypassing certificate pinning)
- Patching / Re-packaging / Re-signing an Android APK
- Code review
- Runtime instrumentation with Frida
What to bring:
- You’ll need a system (*NIX or Windows) with the following installed and working:
- ADB
- unzip
- zipalign
- apktool
- jd-gui (or your Java decompiler of choice)
- dex2jar
- frida (pip install frida; frida –version)
- Burp Suite (or your HTTP proxy of choice)
- Text editor of your choice
- Genymotion Android Emulator
- If you can, bring your own rooted Android device (anything above 5.1 should work)
Bio:
Jose Lopes is currently a Senior Security Consultant at Nettitude Ltd. He specialises in application and software security – mainly mobile applications and thick clients. His interests include reverse engineering, privacy, and going fast on motorcycles.