03 February
12pm, LT308 Huxley
| Title: | Mobile application vulnerabilities |
|---|---|
| Abstract: | Mobile applications which send and receive sensitive information are tempting targets for man-in-the-middle (MITM) attacks where a correctly positioned attacker can view and manipulate traffic. Mobile applications use the same approach to securing communication as conventional web sites: SSL/TLS. However, SSL certificate validation is far from trivial and mobile applications often fall short of the standard of certificate validation performed in mainstream browsers. Without sufficient validation of SSL certificates in a mobile app, an attacker can substitute a legitimate SSL certificate with one under his control and thus view or manipulate sensitive information submitted by the user. Mobile app users who regularly connect to untrusted public wireless networks are particularly at risk, both from rogue access points and from other users of the wireless network. Unlike with conventional phishing attacks, browser-based blocking of malicious websites is not sufficient to defend against this type of attack. We will examine some real applications with this vulnerability, discuss the consequences, and of course demonstrate exploitation! |
| Speaker Details: | Graham Edgecombe Graham Edgecombe is an Internet Services Developer at Netcraft, where he works on the development and system administration of Netcraft's Internet security and data mining services. He recently graduated from the University of Cambridge with a BA in Computer Science. |
