BSidesSF has ended
Back To Schedule
Sunday, April 19 • 10:00am - 11:00am
Stick a Pin in Certificate Pinning: How to Inspect Mobile Traffic and Stop Data Exfiltration

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

With the rise of encrypted traffic, more and more companies are deploying SSL inspection platforms to decrypt SSL. Unfortunately, these companies quickly discover that they cannot decrypt all traffic, particularly communications to mobile apps that use certificate pinning.

What is certificate pinning? It’s a method of preventing Man in the Middle (MitM) attacks by validating server certificates against known, approved certificates or hashes that are bundled with the application. Many mobile applications today, including Twitter, Facebook, and Square, use certificate pinning to detect forged SSL certificates and prevent unauthorized snooping. While this improves user privacy, it also exposes a gaping hole in corporate defenses.
Why? Because malicious insiders can use mobile apps like Facebook to share confidential data. Malware can communicate and distribute stolen data and credentials through mobile applications. Researchers have even discovered bots that receive command and control center directives from illicit Twitter accounts. As a result, organizations should inspect traffic from mobile applications.

During this presentation, we will propose a way to allow employees to access their favorite mobile applications, while still ensuring that all traffic is inspected for data loss and attacks. With mobile app virtualization, organizations can host mobile apps on centralized servers and monitor file uploads and user activity. The end user experience is nearly identical to native application access.

Attend this session to learn how attackers and insiders can use certificate pinning to bypass security controls. Understand trends in cryptography and the implications for IT security.


Gopal Jayaraman

Gopal Jayaraman is the CEO and co-founder of Sierraware. He established Sierraware with the goal to supply rock-solid and full-featured virtualization and security software to equipment manufacturers all over the world. Prior to Sierraware, Gopal was a Senior Software Architect at... Read More →

Sunday April 19, 2015 10:00am - 11:00am PDT

Attendees (1)