Where, how, and why is SSL traffic on mobile getting intercepted? A look at ten million real-world SSL incidents

No ratings

Presented at owaspapseccalifornia 2018 by

Alban Diquet

Abstract :Over the last two years, we've received and analyzed more than ten million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.