[olug] Cert Tapioca transparent network proxy finds 23, 667 Android apps that fail to validate SSL

Aric Aasgaard aric at omahax.com
Sat Feb 28 15:03:20 CST 2015


I guess I had Shark for Root installed on my old phone, odd that I didn't
find it with a quick search.

It looks like they just make a tunnel and send whatever they want through
the tunnel.
You cannot easily inspect the encrypted traffic against signatures.

Do SAN certificates with a bunch of seemingly non-related Subject
Alternative Names like this seem sketchy to any of you?
http://certificate.fyicenter.com/726_Publishers_ssl.cdngc.net_CDNetworks_Inc
._L_San_Jose_ST_Ca.html
.....or look at the certificate for this site https://www.ricoh.com/
..........I guess they would be useful for reverse proxy servers.

It just seems odd that Candy Crush Saga would use the same certificate as
Toyota.



More information about the OLUG mailing list