A technique to circumvent SSL/TLS validations on iOS devices
Date
2017
Authors
D'Orazio, C.J.
Choo, K.K.R.
Editors
Advisors
Journal Title
Journal ISSN
Volume Title
Type:
Journal article
Citation
Future Generation Computer Systems, 2017; 74:366-374
Statement of Responsibility
Conference Name
Abstract
SSL/TLS validations such as certificate and public key pinning can reinforce the security of encrypted communications between Internet-of-Things devices and remote servers, and ensure the privacy of users. However, such implementations complicate forensic analysis and detection of information disclosure; say, when a mobile app breaches user's privacy by sending sensitive information to third parties. Therefore, it is crucial to develop the capacity to vet mobile apps augmenting the security of SSL/TLS traffic. In this paper, we propose a technique to bypass the system's default certificate validation as well as built-in SSL/TLS validations performed in iOS apps. We then demonstrate its utility by analysing 40 popular iOS social networking, electronic payment, banking, and cloud computing apps.
School/Discipline
Dissertation Note
Provenance
Description
Access Status
Rights
Copyright 2016 Elsevier