TMCnet News

Data Theorem and Yahoo Improve Security of Mobile App Communications with New TrustKit Open Source Tool
[August 04, 2015]

Data Theorem and Yahoo Improve Security of Mobile App Communications with New TrustKit Open Source Tool


(Black Hat Conference) - Data Theorem, the leading provider in mobile app security, and Yahoo! Inc. (NASDAQ: YHOO), are unveiling a new, open source security toolkit that helps developers easily include complex mobile security functionality, known as SSL pinning, on any app.

Researchers from Data Theorem and Yahoo will be presenting the findings in a session titled "TRUSTKIT: CODE INJECTION ON IOS 8 FOR THE GREATER GOOD", on Thursday, August 6th at 9:00am at the Black Hat briefings. The presentation will review how the toolkit works, as well as how Yahoo! leveraged it to implement SSL pinning for Yahoo's mobile apps.

SSL pinning is a step developers can take to ensure eavesdropping cannot occur on data connections on their mobile apps, by making sure the client checks the server's certificate against a known copy of that certificate. While the concept is well known, it has traditionally been difficult and time-consuming to implement.

"SSL pinning often goes overlooked when developers are designing mobile apps for scale, but it is crucially important to the security and privacy of comunications on billions of mobile devices," said Himanshu Dwivedi, CEO of Data Theorem. "With this new, open source toolkit, we are making it simple to significantly upgrade the security and privacy of every mobile app, and all of its communications."



With the release of iOS 8, Apple (News - Alert) relaxed rules regarding how code can be packaged within an iOS App. Previously, all code had to be statically linked into the apps binary. Apple is now allowing third-party frameworks and libraries to be embedded in an apps package and dynamically loaded at runtime as needed. This provides new opportunities to mobile and security engineers to improve the security of apps during development. Developers can now take advantage of this functionality, and utilize a new open-source library that leverages these mechanisms.

TrustKit provides "drag and drop" SSL public key pinning and can be deployed within an app in a matter of minutes, without having to modify the app's source code.


TrustKit's key features include:

  • Easy to use SSL pinning: TrustKit can be deployed in minutes in any iOS or OS X App, without even modifying the app's source code.
  • API-independent pinning by directly hooking into Apple's SecureTransport. TrustKit works on NSURLSession, UIWebView, NSStream, AFNetworking, etc. all the way down to BSD sockets. All your app's connections are protected.
  • Mechanism to report pinning failures, which allows apps to send reports when an unexpected certificate chain is detected, similarly to the report-uri directive described in the HTTP Public Key Pinning specification.

For more information visit www.datatheorem.com. The toolkit will be hosted on GitHub, available immediately after the Black Hat presentation at http://datatheorem.github.io/TrustKit/.

About Data Theorem:

Data Theorem Scans & Secures mobile apps. The technology scans iOS (Apple), Android (Google (News - Alert) & Amazon), and Windows Mobile (Microsoft) applications on a continuous basis in search of security flaws & data privacy gaps (24/7/365). Secure code, such as TrustKit, is also provided to developers to remediate identified issues on a timely basis.

Data Theorem's DNA stems from early engineers of @stake, Inc. and co-founders of iSEC Partners, Inc. Data Theorem's academic partners, research collaborators, and alumni stem from John Hopkins University, Institut supérieur d'Electronique de Paris, Carnegie Mellon University, Stanford University, and the University of Minnesota.


[ Back To TMCnet.com's Homepage ]