Some friends of mine they worry about the risk of Man-in-the-middle so they ask me how to verify the potential risk of some Apps. Take a popular shopping app "X" for example, If "X" does not meet the requirement of  "Certificate P…

证书锁定Certificate Pinning技术 在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书,从而建立起和攻击机的安全连接.这样,客户端发送的数据,都会被攻击机获取和解密. 证书锁定Certificate Pinning是SSL/TLS加密的额外保证手段.它会将服务器的证书公钥预先保存在客户端.在建立安全连接的过程中,客户端会将预置的公钥和接受的证书做比较.如果一致,就建立连接,否则就拒绝连…

证书锁定Certificate Pinning技术   在中间人攻击中,攻击主机通常截断客户端和服务器的加密通信.攻击机以自己的证书替代服务器发给客户端的证书.通常,客户端不会验证该证书,直接接受该证书,从而建立起和攻击机的安全连接.这样,客户端发送的数据,都会被攻击机获取和解密.   证书锁定Certificate Pinning是SSL/TLS加密的额外保证手段.它会将服务器的证书公钥预先保存在客户端.在建立安全连接的过程中,客户端会将预置的公钥和接受的证书做比较.如果一致,就建立连接,否则…

Let's take a look at a very popular mobile game "Garena 传说对决" . It would be very interesting~ My friend Carrie's confused about "Certificate Pinning". Let me show you how to verify  "Certificate Pinning". Use a proxy server t…

My friend Carrie'd like to know "Garena 传说对决" violates any mobile risks such as insecure data storage or sensitive data disclosure . Let's take a look at this very popular mobile game "Garena 传说对决" . It would be very interesting~ Carri…

证书spec, X509, 类似规定了一个目录结构.其中重要内容包括 issuer: who isued this certificate subject: the ID of this certificate public key: validate period sign: the sha of this certificate, encritpted with the issuer's private key. (This is the mechanism how to verify th…

前言 APP端抓包中, 设置抓包代理后会发现部分APP(如app store.Facebook)直接无法访问,其他部分app又功能正常,为什么呢?这涉及 ssl-pinning,证书锁定. 证书锁定(SSL/TLS Pining),顾名思义,将服务器提供的SSL/TLS证书内置到移动端开发的APP客户端内,当客户端发起请求时,通过对比内置的证书和服务器端证书的内容,以确定这个链接的合法性. HTTPS与中间人攻击 HTTPS HTTPS实际上是由HTTP协议与TLS协议组合而成的一个协议. TL…

IP, TCP, and HTTP Issue #10 Syncing Data, March 2014 By Daniel Eggert When an app communicates with a server, more often than not, that communication happens over HTTP. HTTP was developed for web browsers: when you enter http://www.objc.io into your…

Android 1.5 ProPolice to prevent stack buffer overruns (-fstack-protector),在缓冲区buffer与返回地址之间加入Canary(Windows上也叫cookies) safe_iop to reduce integer overflows(safe_iop 是思科的安全API库,保证算术运算不会溢出) Extensions to OpenBSD dlmalloc to prevent double free() vulne…

官方Wiki之Calls 原文位置:https://github.com/square/okhttp/wiki/Calls The HTTP client's job is to accept your request and produce its response. This is simple in theory but it gets tricky in practice. Http客户端的工作就是,接收用户的请求和产生返回结果.理论上这很简单,但在实践中却很棘手. Requests E…