Patryk Zabicki works as an Android Developer in Zürich in banking at Centralway, where security is one of the top priorities.
He is involved in designing and implementation various crucial components, from testing framework, real time messaging systems, including security layer protecting Centralway users. His major interests are test automation, blockchain related technologies and security. Strong believer in value of privacy. Hackathon goer. Privately hiker, skier and bookworm.
In this session Patryk would like to explain and demonstrate why basing security solely on HTTPS is not enough. He will start with basic explanation of the secure protocols currently in use, and continue to demonstrate how relatively easy is to compromise SSL powered connection, taking under consideration different attack vectors, and their limitations.
Patryk will explain how in practice Android supports this protocols, mentioning how implementation differs from one provided in JSSE API, focusing on concrete details of Android SSL stack especially Certificate Validation and Trusted Certificate Store.
With this information you will learn about deficiencies in current Public Key Infrastructure (PKI) Trust Model, identify risks and work out solutions how to fill them in. In greater details focus will be on one of them, Certificate Pinning.
Finally, Patryk will show the production level implementation of Certificate Pinning, and demonstrate how does it stands against MITM (Man In The Middle) attacks using system compromised in the first part of the talk.