TLS Tools for Black Box Mobile Testing
Monday November 5, 2012
iSEC is pleased to announce that the mobile testing tools presented in iSEC's Black Hat 2012 presentation by Alban Diquet and Justine Osborne have been publicly released as open-source software on iSEC's GitHub page.
Historically, when performing black box testing against iOS or Android applications, testers have installed the CA certificate of their proxy software onto their device or emulator, so that network communications can be intercepted, monitored and altered. For most cases, this is sufficient. However, for various reasons at different times, this has been difficult or irritating to accomplish, and many prominent mobile applications take the reasonable precaution of pinning to a specific certificate or lone Certificate Authority.
Enter ios-ssl-killswitch and android-ssl-bypass. These tools help black box mobile testers disable SSL/TLS certificate validation routines, even for implementations that pin to a specific certificate or CA rather than using the internal Certificate Authority store. Head on over to our GitHub and feel free to fork, file issues, or submit pull requests.