Notary-Assisted Certificate Pinning for Improved Security of Android Apps

2016 11th International Conference on Availability, Reliability and Security (ARES) Pub Date : 2016-08-01 DOI:10.1109/ARES.2016.42

Georg Merzdovnik, D. Buhov, A. Voyiatzis, E. Weippl

{"title":"Notary-Assisted Certificate Pinning for Improved Security of Android Apps","authors":"Georg Merzdovnik, D. Buhov, A. Voyiatzis, E. Weippl","doi":"10.1109/ARES.2016.42","DOIUrl":null,"url":null,"abstract":"The security provided to Internet applications by the TLS protocol relies on the trust we put on Certificate Authorities (CAs) issuing valid identity certificates. TLS certificate pinning is a proposed approach to defend against man-in-the-middle (MitM) attacks that are realized using valid albeit fraudulent certificates. Yet, the implementation of certificate pinning for mobile applications, and especially for Google Android apps, is cumbersome and error-prone, resulting in inappropriate connection handling and privacy leaks of user information. We propose the use of TLS notary-assisted certificate pinning at the Android Runtime level. Our approach defends against a wide range of MitM attacks without needing to update the application using TLS. Furthermore, by relying on the collective knowledge of the trusted TLS notaries, we increase both the security and the usability, while at the same time we remove the burden for the user making trust decisions about system security issues. We describe a proof-of-concept implementation demonstrating its capabilities and discuss the next steps necessary towards general availability of our solution.","PeriodicalId":216417,"journal":{"name":"2016 11th International Conference on Availability, Reliability and Security (ARES)","volume":"120 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 11th International Conference on Availability, Reliability and Security (ARES)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2016.42","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

The security provided to Internet applications by the TLS protocol relies on the trust we put on Certificate Authorities (CAs) issuing valid identity certificates. TLS certificate pinning is a proposed approach to defend against man-in-the-middle (MitM) attacks that are realized using valid albeit fraudulent certificates. Yet, the implementation of certificate pinning for mobile applications, and especially for Google Android apps, is cumbersome and error-prone, resulting in inappropriate connection handling and privacy leaks of user information. We propose the use of TLS notary-assisted certificate pinning at the Android Runtime level. Our approach defends against a wide range of MitM attacks without needing to update the application using TLS. Furthermore, by relying on the collective knowledge of the trusted TLS notaries, we increase both the security and the usability, while at the same time we remove the burden for the user making trust decisions about system security issues. We describe a proof-of-concept implementation demonstrating its capabilities and discuss the next steps necessary towards general availability of our solution.

查看原文本刊更多论文

公证辅助证书固定，提高Android应用程序的安全性

TLS协议为Internet应用程序提供的安全性依赖于我们对颁发有效身份证书的证书颁发机构(ca)的信任。TLS证书固定是一种被提议的防御中间人(MitM)攻击的方法，这种攻击使用有效的(尽管是欺诈性的)证书来实现。然而，对于移动应用程序，特别是Google Android应用程序，证书绑定的实现非常繁琐且容易出错，导致连接处理不当和用户信息隐私泄露。我们建议在Android运行时级别使用TLS公证辅助证书固定。我们的方法可以抵御各种MitM攻击，而无需使用TLS更新应用程序。此外，通过依赖受信任的TLS公证人的集体知识，我们提高了安全性和可用性，同时我们消除了用户对系统安全问题做出信任决策的负担。我们描述了一个展示其功能的概念验证实现，并讨论了实现我们的解决方案的一般可用性所需的后续步骤。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 11th International Conference on Availability, Reliability and Security (ARES)

自引率

0.00%

发文量