2024-07-20 –, Track 1
This talk will delve into the intricate world of transport security, specifically within mobile applications, highlighting the terrifying vulnerabilities that can be introduced into your applications unknowingly. We will explore how these security flaws can be exploited by threat actors, compromising data integrity and user privacy. The presentation will cover critical aspects such as host name validation, certificate chain validation, certificate/public key pinning and even the use of custom cr
-
Introduction to Transport Layer Security
- Brief overview of TLS
- Impact and severity of exploitation -
Host Name Validation
- Detailed look at the process of host name validation
- Tools and techniques for detection
- Demonstrating real-world attacks against improper host name validation -
Certificate Chain Validation
- Detailed look at the process of certificate chain validation
- Tools and techniques for detection
- Demonstrating real-world attacks against improper chain validation. -
Certificate Pinning
- Explanation of certificate pinning and its importance
- Tools and techniques for detection
- How to implement certificate pinning with OkHTTP
- Demonstrating real-world attacks against certificate pinning -
Custom Cryptography
* What does custom cryptography on top of TLS look like
* Does it provide any security benefits
* Does it pose any risk
* Examples of real-world attacks against custom cryptography implementations -
Live Demonstrations
- Recorded demonstrations of all of the above, and combinations of the controls
- Interactive session with audience participation
- Demonstrating real-world attacks against improper host name validation
Connor and Andre work as mobile security consultants for MWRCybersec. Both speakers are passionate about reverse engineering and making their corner of the world safer.
I am a developer who became a security consultant in order to gain more perspective as to how other organisations build their infrastructure and handle their security. I am currently working in mobile division at MWR Cybersec.