Android Security Symposium 2017

Pinning: Not as simple as it sounds

About the speaker

John Kozyrakis

Synopsys, London, UK
John is a security engineer and researcher in the area of mobile application security. He has helped several large organizations threat model their apps and design or evaluate sophisticated defensive controls such as binary hardening and certificate pinning. He also develops automated static and dynamic analysis solutions for Android applications. John holds an MSc in Information Security from Royal Holloway, University of London and an Electrical and Computer Engineering diploma from University of Patras.

Abstract

Certificate pinning trends perennially, coming to the fore with each new SSL hack. Security urges developers
to implement pinning and many mobile apps do — some applying pinning to problems it doesn't solve while
others do so entirely unnecessarily.

Taking a perspective useful to both developers and testers, this presentation highlights the threats that
pinning can tackle and covers the tradeoffs inherent in pinning decisions. The presentation explores several
flaws found in real applications and describes changes introduced in recent Android versions.

Expect to leave understanding common implementations mistakes, common misconceptions and key subtleties of
pinning that may in fact decrease security or impose undue complexity.

Slides

Get the slides here.

Video