<div class="csl-bib-body">
<div class="csl-entry">Pradeep, A., Paracha, M. T., Bhowmick, P., Davanian, A., Razaghpanah, A., Chung, T., Lindorfer, M., Vallina-Rodriguez, N., Levin, D., & Choffnes, D. (2022). A Comparative Analysis of Certificate Pinning in Android & iOS. In <i>Proceedings of the 22nd ACM Internet Measurement Conference</i> (pp. 605–618). ACM. https://doi.org/10.34726/3505</div>
</div>
-
dc.identifier.uri
http://hdl.handle.net/20.500.12708/150264
-
dc.identifier.uri
https://doi.org/10.34726/3505
-
dc.description.abstract
TLS certificate pinning is a security mechanism used by applications (apps) to protect their network traffic against malicious certificate authorities (CAs), in-path monitoring, and other methods of TLS tampering. Pinning can provide enhanced security to defend against malicious third-party access to sensitive data in transit (e.g., to protect sensitive banking and health care information), but can also hide an app’s personal data collection from users and auditors. Prior studies found pinning was rarely used in the Android ecosystem, except in high-profile, security-sensitive apps; and, little is known about its usage on iOS and across mobile platforms. In this paper, we thoroughly investigate the use of certificate pinning on Android and iOS. We collect 5,079 unique apps from the two official app stores: 575 common apps, 1,000 popular apps each, and 1,000 randomly selected apps each. We develop novel, cross-platform, static and dynamic analysis techniques to detect the usage of certificate pinning. Thus, our study offers a more comprehensive understanding of certificate pinning than previous studies. We find certificate pinning as much as 4 times more widely adopted than reported in recent studies. More specifically, we find that 0.9% to 8% of Android apps and 2.5% to 11% of iOS apps use certificate pinning at run time (depending on the aforementioned sets of apps). We then investigate which categories of apps most frequently use pinning (e.g., apps in the “finance” category), which destinations are typically pinned (e.g., first-party destinations vs those used by third-party libraries), which certificates are pinned and how these are pinned (e.g., CA vs leaf certificates), and the connection security for pinned connections vs unpinned ones (e.g., the use of weak ciphers or improper certificate validation). Lastly, we investigate how many pinned connections are amenable to binary instrumentation to reveal the contents of their connections; for those that are, we analyze the data sent over pinned connections to understand what is protected by pinning.
en
dc.description.sponsorship
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds
-
dc.language.iso
en
-
dc.subject
App Pinning
en
dc.subject
Certificate Pinning
en
dc.subject
Measurement Techniques
en
dc.subject
Network Security
en
dc.subject
TLS
en
dc.subject
Transport Layer Security
en
dc.title
A Comparative Analysis of Certificate Pinning in Android & iOS
en
dc.type
Inproceedings
en
dc.type
Konferenzbeitrag
de
dc.identifier.doi
10.34726/3505
-
dc.contributor.affiliation
ICSI / Cisco
-
dc.contributor.affiliation
Northeastern University, United States of America (the)
-
dc.contributor.affiliation
Virginia Tech, United States of America (the)
-
dc.contributor.affiliation
University of California, Riverside, United States of America (the)
-
dc.contributor.affiliation
ICSI / Cisco Inc.
-
dc.contributor.affiliation
Virginia Tech, United States of America (the)
-
dc.contributor.affiliation
AppCensus Inc, Spain
-
dc.contributor.affiliation
University of Maryland, Baltimore, United States of America (the)
-
dc.contributor.affiliation
Northeastern University, United States of America (the)
-
dc.relation.isbn
9781450392594
-
dc.description.startpage
605
-
dc.description.endpage
618
-
dc.relation.grantno
ICT19-056
-
dc.rights.holder
Copyright held by the owner/author(s). Publication rights licensed to ACM.
-
dc.type.category
Full-Paper Contribution
-
tuw.booktitle
Proceedings of the 22nd ACM Internet Measurement Conference
-
tuw.relation.publisher
ACM
-
tuw.project.title
IoTIO: Analyse des Internet der Unsicheren Dinge
-
tuw.researchTopic.id
I4a
-
tuw.researchTopic.name
Information Systems Engineering
-
tuw.researchTopic.value
100
-
tuw.linking
https://github.com/NEU-SNS/app-tls-pinning
-
tuw.publication.orgunit
E192-06 - Forschungsbereich Security and Privacy
-
tuw.publisher.doi
10.1145/3517745.3561439
-
dc.description.numberOfPages
14
-
tuw.author.orcid
0000-0002-0320-8611
-
tuw.event.name
Internet Measurement Conference (IMC)
-
tuw.event.startdate
25-10-2022
-
tuw.event.enddate
27-10-2022
-
tuw.event.online
Hybrid
-
tuw.event.type
Event for scientific audience
-
tuw.event.place
Nice
-
tuw.event.country
FR
-
tuw.event.presenter
Pradeep, Amogh
-
tuw.event.presenter
Paracha, Muhammad Talha
-
tuw.event.track
Single Track
-
wb.sciencebranch
Informatik
-
wb.sciencebranch.oefos
1020
-
wb.sciencebranch.value
100
-
item.languageiso639-1
en
-
item.openairetype
conference paper
-
item.grantfulltext
restricted
-
item.fulltext
no Fulltext
-
item.cerifentitytype
Publications
-
item.openairecristype
http://purl.org/coar/resource_type/c_5794
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.dept
Northeastern University
-
crisitem.author.dept
Virginia Tech
-
crisitem.author.dept
University of California, Riverside
-
crisitem.author.dept
ICSI / Cisco Inc.
-
crisitem.author.dept
Virginia Tech
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.dept
AppCensus Inc, Spain
-
crisitem.author.dept
University of Maryland, Baltimore
-
crisitem.author.dept
Northeastern University
-
crisitem.author.orcid
0000-0003-2831-6632
-
crisitem.author.orcid
0000-0002-0320-8611
-
crisitem.author.orcid
0000-0001-7001-4481
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.project.funder
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds
