*** Abstract *** Certificate pinning trends perennially, coming to the fore with each new SSL hack. Security urges developers to implement pinning and many mobile apps do — some applying pinning to problems it doesn't solve while others do so entirely unnecessarily.
Taking a perspective useful to both developers and testers, this presentation highlights the threats that pinning can tackle and covers the tradeoffs inherent in pinning decisions. The presentation explores several flaws found in real applications and describes changes introduced in recent Android versions.
Expect to leave understanding common implementations mistakes, common misconceptions and key subtleties of pinning that may in fact decrease security or impose undue complexity.
*** Android Security Symposium *** The second Android Security Symposium was organized by the Josef Ressel Center u'smile at the University of Applied Sciences Upper Austria in Hagenberg in cooperation with SBA Research and the Institute of Networks and Security (INS) at Johannes Kepler University Linz.
This video is provided by the Josef Ressel Center for User-friedly Secure Mobile Environments (u'smile), a research group at the University of Applied Sciences Upper Austria.