A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices

The use of mobile devices has undergone rapid growth in recent years. However, on some occasions, security has been neglected when developing applications. SSL/TLS has been used for years to secure communications although it is not a vulnerability-free protocol. One of the most common vulnerabilitie...

Descripción completa

Detalles Bibliográficos
Autores principales: Ramírez-López, Francisco José, Varela-Vaca, Ángel Jesús, Ropero, Jorge, Luque, Joaquín, Carrasco, Alejandro
Formato: Online Artículo Texto
Lenguaje:English
Publicado: MDPI 2019
Materias:
Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7514482/
http://dx.doi.org/10.3390/e21121136
_version_ 1783586598052429824
author Ramírez-López, Francisco José
Varela-Vaca, Ángel Jesús
Ropero, Jorge
Luque, Joaquín
Carrasco, Alejandro
author_facet Ramírez-López, Francisco José
Varela-Vaca, Ángel Jesús
Ropero, Jorge
Luque, Joaquín
Carrasco, Alejandro
author_sort Ramírez-López, Francisco José
collection PubMed
description The use of mobile devices has undergone rapid growth in recent years. However, on some occasions, security has been neglected when developing applications. SSL/TLS has been used for years to secure communications although it is not a vulnerability-free protocol. One of the most common vulnerabilities is SSL pinning bypassing. This paper first describes some security controls to help protect against SSL pinning bypassing. Subsequently, some existing methods for bypassing are presented and two new methods are defined. We performed some experiments to check the use of security controls in widely used applications, and applied SSL pinning bypassing methods. Finally, we created an applicability framework, relating the implemented security controls and the methods that are applicable. This framework provides a guideline for pentesters and app developers.
format Online
Article
Text
id pubmed-7514482
institution National Center for Biotechnology Information
language English
publishDate 2019
publisher MDPI
record_format MEDLINE/PubMed
spelling pubmed-75144822020-11-09 A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices Ramírez-López, Francisco José Varela-Vaca, Ángel Jesús Ropero, Jorge Luque, Joaquín Carrasco, Alejandro Entropy (Basel) Article The use of mobile devices has undergone rapid growth in recent years. However, on some occasions, security has been neglected when developing applications. SSL/TLS has been used for years to secure communications although it is not a vulnerability-free protocol. One of the most common vulnerabilities is SSL pinning bypassing. This paper first describes some security controls to help protect against SSL pinning bypassing. Subsequently, some existing methods for bypassing are presented and two new methods are defined. We performed some experiments to check the use of security controls in widely used applications, and applied SSL pinning bypassing methods. Finally, we created an applicability framework, relating the implemented security controls and the methods that are applicable. This framework provides a guideline for pentesters and app developers. MDPI 2019-11-21 /pmc/articles/PMC7514482/ http://dx.doi.org/10.3390/e21121136 Text en © 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
spellingShingle Article
Ramírez-López, Francisco José
Varela-Vaca, Ángel Jesús
Ropero, Jorge
Luque, Joaquín
Carrasco, Alejandro
A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices
title A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices
title_full A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices
title_fullStr A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices
title_full_unstemmed A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices
title_short A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices
title_sort framework to secure the development and auditing of ssl pinning in mobile applications: the case of android devices
topic Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7514482/
http://dx.doi.org/10.3390/e21121136
work_keys_str_mv AT ramirezlopezfranciscojose aframeworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices
AT varelavacaangeljesus aframeworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices
AT roperojorge aframeworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices
AT luquejoaquin aframeworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices
AT carrascoalejandro aframeworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices
AT ramirezlopezfranciscojose frameworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices
AT varelavacaangeljesus frameworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices
AT roperojorge frameworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices
AT luquejoaquin frameworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices
AT carrascoalejandro frameworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices

Ejemplares similares