Fortify - Application Security
Recent statistics show that almost half of breaches that cause material damage occur via applications. HP Fortify provides software and services that help organization secure applications to prevent those attacks. This blog serves as a platform for our penetration testers, product managers and marketers, and software engineers to provide analysis and insight regarding both web application security and how organizations can utilize our products and services to better secure their applications. For more information, visit www.hp.com/go/fortify

Certificate Pinning for Mobile Applications

lockicon.png

Here at Fortify on Demand, one of the most common surprises for customers when they see their results from one of our Mobile Application Assessments is that we were able to view and modify all traffic passing between their mobile device and their mobile backend—commonly called a Man in the Middle (MiTM) attack.

 

Certificate Pinning is a solution that many implement to counter this, but there is a general lack of understanding around thetechnique. Many think (incorrectly) that it's a silver bullet for traffic interception and aren't aware of the potential downsides.

 

This article will give an overview of mobile certificate pinning and will cover basics, misconceptions, implementation, gotchas, and generally get you up to speed on the topic.

2 Reasons iOS is More Secure Than Android

android_ios.jpg

 

When I tell people I test the security of mobile applications one of the most common questions people ask is, "Which platform is more secure: Android or iOS?"

 

There are many ways to answer this, but each of them have their issues. You can look at malware stats, you can look at marketshare, you can look at lists of vulnerabilities. But at some point you're comparing apples and...well, not apples.

 

There are always other factors, one of which being the user bases. Are people buying the cheapest phones available making the same security choices as those buying the more expensive and popular options? And if not, then aren't we then dealing with poor security choices instead of an insecure platform?

 

Two Points 

 

This all being true, there are two reasons iOS will continue to be the more secure platform going forward. Not only will it be more secure, but its position as security lead will actually grow.

Labels: Android| iOS| mobile| security
Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Adam Cazzolla is a Sr. Security Consultant with HP Fortify on Demand.
  • http://www.danielmiessler.com/about
  • hacker, developer, script junkie [python,ruby,php]
  • Jason Johnson is a Sr. Security Consultant with HP Fortify on Demand.
  • I have a passion for security and endeavor to participate in strong security defenses.
  • Lucas Gates is an Advanced Dynamic Tester with the Fortify On Demand team who enjoys responsible hacking.
  • US Army veteran. IT and infoSec professional since 1994. Founder of HouSecCon. aka m1a1vet
  • Rick Dunnam is an IS security professional with 15+ years experience in Enterprise Security and has consulted for many industry verticals: Banking, CPG, Healthcare, Government, Hospitality, and more
  • Sam Denard is a Senior Security Engineer with HP Enterprise Security.
Follow Us


HP Blog

HP Software Solutions Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation