Showing posts from December, 2012

Certificate pinning in Android 4.2

A lot has happened in the Android world since our last post , with new devices being announced and going on and off sale.  Most importantly, however, Android 4.2 has been released  and made its way to AOSP . It's an evolutionary upgrade, bringing various improvements and some new  user and developer features . This time around, security related enhancements made it into the what's new  list, and there is quite a lot of them. The most widely publicized one has been, as expected, the one users may actually see -- application verification. It recently got an in-depth analysis , so in this post we will look into something less visible, but nevertheless quite important -- certificate pinning .  PKI's trust problems and proposed solutions In the highly unlikely case that you haven't heard about it, the trustworthiness of the existing public CA model has been severely compromised in the recent couple of years. It has been suspect for a while, but recent high profile CA se