Abstract | ||
---|---|---|
The security provided to Internet applications by the TLS protocol relies on the trust we put on Certificate Authorities (CAs) issuing valid identity certificates. TLS certificate pinning is a proposed approach to defend against man-in-the-middle (MitM) attacks that are realized using valid albeit fraudulent certificates. Yet, the implementation of certificate pinning for mobile applications, and especially for Google Android apps, is cumbersome and error-prone, resulting in inappropriate connection handling and privacy leaks of user information. We propose the use of TLS notary-assisted certificate pinning at the Android Runtime level. Our approach defends against a wide range of MitM attacks without needing to update the application using TLS. Furthermore, by relying on the collective knowledge of the trusted TLS notaries, we increase both the security and the usability, while at the same time we remove the burden for the user making trust decisions about system security issues. We describe a proof-of-concept implementation demonstrating its capabilities and discuss the next steps necessary towards general availability of our solution. |
Year | DOI | Venue |
---|---|---|
2016 | 10.1109/ARES.2016.42 | 2016 11th International Conference on Availability, Reliability and Security (ARES) |
Keywords | Field | DocType |
Security,TLS,certificate pinning,Google Android,mobile apps,man-in-the-middle attacks | Internet privacy,Man-in-the-middle attack,Android (operating system),Computer security,Computer science,Public key certificate,Certificate authority,User information,Chain of trust,Certificate,The Internet | Conference |
ISBN | Citations | PageRank |
978-1-5090-0991-6 | 0 | 0.34 |
References | Authors | |
0 | 4 |
Name | Order | Citations | PageRank |
---|---|---|---|
Georg Merzdovnik | 1 | 71 | 8.21 |
Damjan Buhov | 2 | 24 | 2.44 |
Artemios G. Voyiatzis | 3 | 112 | 14.08 |
Edgar Weippl | 4 | 856 | 105.02 |