A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices
The use of mobile devices has undergone rapid growth in recent years. However, on some occasions, security has been neglected when developing applications. SSL/TLS has been used for years to secure communications although it is not a vulnerability-free protocol. One of the most common vulnerabilitie...
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2019-11-01
|
| Series: | Entropy |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1099-4300/21/12/1136 |
| _version_ | 1811303955428278272 |
|---|---|
| author | Francisco José Ramírez-López Ángel Jesús Varela-Vaca Jorge Ropero Joaquín Luque Alejandro Carrasco |
| author_facet | Francisco José Ramírez-López Ángel Jesús Varela-Vaca Jorge Ropero Joaquín Luque Alejandro Carrasco |
| author_sort | Francisco José Ramírez-López |
| collection | DOAJ |
| description | The use of mobile devices has undergone rapid growth in recent years. However, on some occasions, security has been neglected when developing applications. SSL/TLS has been used for years to secure communications although it is not a vulnerability-free protocol. One of the most common vulnerabilities is SSL pinning bypassing. This paper first describes some security controls to help protect against SSL pinning bypassing. Subsequently, some existing methods for bypassing are presented and two new methods are defined. We performed some experiments to check the use of security controls in widely used applications, and applied SSL pinning bypassing methods. Finally, we created an applicability framework, relating the implemented security controls and the methods that are applicable. This framework provides a guideline for pentesters and app developers. |
| first_indexed | 2024-04-13T07:57:20Z |
| format | Article |
| id | doaj.art-d6d8aac7f2324f52bd7cbcc7f5f963af |
| institution | Directory Open Access Journal |
| issn | 1099-4300 |
| language | English |
| last_indexed | 2024-04-13T07:57:20Z |
| publishDate | 2019-11-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Entropy |
| spelling | doaj.art-d6d8aac7f2324f52bd7cbcc7f5f963af2022-12-22T02:55:22ZengMDPI AGEntropy1099-43002019-11-012112113610.3390/e21121136e21121136A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android DevicesFrancisco José Ramírez-López0Ángel Jesús Varela-Vaca1Jorge Ropero2Joaquín Luque3Alejandro Carrasco4Departamento de Tecnología Electrónica, Universidad de Sevilla, 41012 Sevilla, SpainDepartamento de Lenguajes y Sistemas Informáticos, Universidad de Sevilla, 41012 Sevilla, SpainDepartamento de Tecnología Electrónica, Universidad de Sevilla, 41012 Sevilla, SpainDepartamento de Tecnología Electrónica, Universidad de Sevilla, 41012 Sevilla, SpainDepartamento de Tecnología Electrónica, Universidad de Sevilla, 41012 Sevilla, SpainThe use of mobile devices has undergone rapid growth in recent years. However, on some occasions, security has been neglected when developing applications. SSL/TLS has been used for years to secure communications although it is not a vulnerability-free protocol. One of the most common vulnerabilities is SSL pinning bypassing. This paper first describes some security controls to help protect against SSL pinning bypassing. Subsequently, some existing methods for bypassing are presented and two new methods are defined. We performed some experiments to check the use of security controls in widely used applications, and applied SSL pinning bypassing methods. Finally, we created an applicability framework, relating the implemented security controls and the methods that are applicable. This framework provides a guideline for pentesters and app developers.https://www.mdpi.com/1099-4300/21/12/1136ssl pinningsecuritymobile applicationsandroidauditingvulnerabilitiesowasp |
| spellingShingle | Francisco José Ramírez-López Ángel Jesús Varela-Vaca Jorge Ropero Joaquín Luque Alejandro Carrasco A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices Entropy ssl pinning security mobile applications android auditing vulnerabilities owasp |
| title | A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices |
| title_full | A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices |
| title_fullStr | A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices |
| title_full_unstemmed | A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices |
| title_short | A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices |
| title_sort | framework to secure the development and auditing of ssl pinning in mobile applications the case of android devices |
| topic | ssl pinning security mobile applications android auditing vulnerabilities owasp |
| url | https://www.mdpi.com/1099-4300/21/12/1136 |
| work_keys_str_mv | AT franciscojoseramirezlopez aframeworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices AT angeljesusvarelavaca aframeworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices AT jorgeropero aframeworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices AT joaquinluque aframeworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices AT alejandrocarrasco aframeworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices AT franciscojoseramirezlopez frameworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices AT angeljesusvarelavaca frameworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices AT jorgeropero frameworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices AT joaquinluque frameworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices AT alejandrocarrasco frameworktosecurethedevelopmentandauditingofsslpinninginmobileapplicationsthecaseofandroiddevices |