{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,13]],"date-time":"2025-11-13T07:15:41Z","timestamp":1763018141035,"version":"build-2065373602"},"reference-count":41,"publisher":"MDPI AG","issue":"12","license":[{"start":{"date-parts":[[2019,11,21]],"date-time":"2019-11-21T00:00:00Z","timestamp":1574294400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"C\u00e1tedra de Telef\u00f3nica \u201cInteligencia en la red\u201c, Universidad de Sevilla","award":["00"],"award-info":[{"award-number":["00"]}]},{"DOI":"10.13039\/501100006473","name":"Ministerio de Ciencia Tecnolog\u00eda y Telecomunicaciones","doi-asserted-by":"publisher","award":["ECLIPSE (RTI2018-094283-B-C33)"],"award-info":[{"award-number":["ECLIPSE (RTI2018-094283-B-C33)"]}],"id":[{"id":"10.13039\/501100006473","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100011011","name":"Junta de Andaluc\u00eda","doi-asserted-by":"publisher","award":["METAMORFOSIS"],"award-info":[{"award-number":["METAMORFOSIS"]}],"id":[{"id":"10.13039\/501100011011","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"<jats:p>The use of mobile devices has undergone rapid growth in recent years. However, on some occasions, security has been neglected when developing applications. SSL\/TLS has been used for years to secure communications although it is not a vulnerability-free protocol. One of the most common vulnerabilities is SSL pinning bypassing. This paper first describes some security controls to help protect against SSL pinning bypassing. Subsequently, some existing methods for bypassing are presented and two new methods are defined. We performed some experiments to check the use of security controls in widely used applications, and applied SSL pinning bypassing methods. Finally, we created an applicability framework, relating the implemented security controls and the methods that are applicable. This framework provides a guideline for pentesters and app developers.<\/jats:p>","DOI":"10.3390\/e21121136","type":"journal-article","created":{"date-parts":[[2019,11,22]],"date-time":"2019-11-22T02:49:27Z","timestamp":1574390967000},"page":"1136","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices"],"prefix":"10.3390","volume":"21","author":[{"given":"Francisco Jos\u00e9","family":"Ram\u00edrez-L\u00f3pez","sequence":"first","affiliation":[{"name":"Departamento de Tecnolog\u00eda Electr\u00f3nica, Universidad de Sevilla, 41012 Sevilla, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9953-6005","authenticated-orcid":false,"given":"\u00c1ngel Jes\u00fas","family":"Varela-Vaca","sequence":"additional","affiliation":[{"name":"Departamento de Lenguajes y Sistemas Inform\u00e1ticos, Universidad de Sevilla, 41012 Sevilla, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5445-0646","authenticated-orcid":false,"given":"Jorge","family":"Ropero","sequence":"additional","affiliation":[{"name":"Departamento de Tecnolog\u00eda Electr\u00f3nica, Universidad de Sevilla, 41012 Sevilla, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9041-0035","authenticated-orcid":false,"given":"Joaqu\u00edn","family":"Luque","sequence":"additional","affiliation":[{"name":"Departamento de Tecnolog\u00eda Electr\u00f3nica, Universidad de Sevilla, 41012 Sevilla, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9474-3929","authenticated-orcid":false,"given":"Alejandro","family":"Carrasco","sequence":"additional","affiliation":[{"name":"Departamento de Tecnolog\u00eda Electr\u00f3nica, Universidad de Sevilla, 41012 Sevilla, Spain"}]}],"member":"1968","published-online":{"date-parts":[[2019,11,21]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"e1855","DOI":"10.1002\/smr.1855","article-title":"The evolution of open-source mobile applications: An empirical study","volume":"29","author":"Li","year":"2017","journal-title":"J. Softw. Evol. Process."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"1153","DOI":"10.1016\/j.tele.2017.05.005","article-title":"What installed mobile applications tell about their owners and how they affect users\u2019 download behavior","volume":"34","author":"Unal","year":"2017","journal-title":"Telemat. Inform."},{"key":"ref_3","first-page":"7S2","article-title":"Security issues with self-signed SSL certificates","volume":"8","author":"Kumar","year":"2019","journal-title":"Int. J. Innov. Technol. Explor. Eng. (IJITEE)"},{"key":"ref_4","unstructured":"Lindgren, A., and Lindoff, B. (2019, September 03). On Estimating the Number of Worldwide LTE Cell-IDs and WiFi Aps. Available online: https:\/\/combain.com\/uploads\/Whitepaper_WorldWide_LTE_CellID_and_WiFi_APs_A.pdf."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Anthi, E., and Theodorakopoulos, G. (2017). Sensitive data in Smartphone Applications: Where does it go? Can it be intercepted?. International Conference on Security and Privacy in Communication Systems, Springer.","DOI":"10.1007\/978-3-319-78816-6_21"},{"key":"ref_6","unstructured":"Khan, J., Abbas, H., and Al-Muhtadi, J. (2017, January 14\u201317). Survey on mobile user\u2019s data privacy threats and defense mechanisms. Proceedings of the 12th Iberian Conference on Information Systems Technolo-Gies (CISTI), Lisbon, Portugal. No. 7975981."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"366","DOI":"10.1016\/j.future.2016.08.019","article-title":"A technique to circumvent SSL\/TLS validations on iOS devices","volume":"74","author":"Choo","year":"2017","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Razaghpanah, A., Sundaresan, S., Niaki, A.A., Amann, J., Vallina-Rodriguez, N., and Gill, P. (2017, January 12\u201315). Studying TLS usage in Android apps. Proceedings of the 13th International Conference on Emerging Technologies (CoNEXT 2017), Ingeon, Korea.","DOI":"10.1145\/3143361.3143400"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Fahl, S., Harbach, M., Perl, H., Koetter, M., and Smith, M. (2013, January 4\u20138). Rethinking SSL development in an appified world. Proceedings of the ACM SIGSAG Conference on Computer & Communications Security (CCS 2013), Berlin, Germany.","DOI":"10.1145\/2508859.2516655"},{"key":"ref_10","first-page":"275","article-title":"Analysing HSTS and HPKP implementation in both browsers and servers","volume":"12","author":"Torres","year":"2017","journal-title":"IET Inf. Secur."},{"key":"ref_11","unstructured":"Mueller, B., and Schleier, S. (2019, November 21). OWASP Mobile Application Security Verification Standard v 1.1.4. Available online: https:\/\/www.owasp.org\/index.php\/OWASP_Mobile_Security_Testing_Guide."},{"key":"ref_12","first-page":"23075","article-title":"Mobile computing security threats and solution","volume":"8","author":"Dhawale","year":"2016","journal-title":"Int. J. Pharm. Technol."},{"key":"ref_13","unstructured":"(2017, February 22). OWASP Mobile Top 10. Available online: https:\/\/www.owasp.org\/index.php\/Mobile_Top_10_2016-Top_10."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Kim, S., Han, H., Shin, D., Jeun, I., and Jeong, H. (2009, January 25\u201327). A study of International Trend Analysis on Web Service Vulnerabilities in OWASP and WASC. Proceedings of the 3rd International Conference on Information Security and Assurance (ISA 2009), Seoul, Korea.","DOI":"10.1007\/978-3-642-02617-1_80"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"412","DOI":"10.1007\/978-3-319-64474-5_35","article-title":"Security of mobile banking applications","volume":"635","author":"Szczepanik","year":"2018","journal-title":"Adv. Intell. Syst. Comput."},{"key":"ref_16","unstructured":"Hickman, K. (1995). The SSL Protocol, Netscape Communications Corp."},{"key":"ref_17","unstructured":"Dierks, T., and Rescorla, E. (2019, November 21). Available online: https:\/\/tools.ietf.org\/html\/rfc5246."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"3806","DOI":"10.3390\/e17063806","article-title":"On the detection of fake certificates via attribute correlation","volume":"17","author":"Gu","year":"2015","journal-title":"Entropy"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"1948","DOI":"10.1016\/j.infsof.2013.05.007","article-title":"Towards the automatic and optimal selection of risk treatments for business processes using a constraint programming approach","volume":"55","author":"Gasca","year":"2013","journal-title":"Inf. Softw. Technol."},{"key":"ref_20","unstructured":"(2019, September 03). Oracle\u2014Java Secure Socket Extension (JSSE) Reference Guide. Available online: https:\/\/docs.oracle.com\/javase\/8\/docs\/technotes\/guides\/security\/jsse\/JSSERefGuide.html."},{"key":"ref_21","unstructured":"(2019, September 03). OpenSSL. Available online: https:\/\/www.openssl.org\/."},{"key":"ref_22","unstructured":"(2019, September 03). LibreSSL. Available online: http:\/\/www.libressl.org\/."},{"key":"ref_23","unstructured":"(2019, September 03). GNUTLS. Available online: https:\/\/www.gnutls.org\/."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Al-Qershi, F., Al-Qurishi, M., Md Mizanur Rahman, S., and Al-Amri, A. (2014, January 17\u201319). Android vs. iOS: The security battle. Proceedings of the 2014 World Congress on Computer Applications and Information Systems (WCCAIS), Hammamet, Tunisia.","DOI":"10.1109\/WCCAIS.2014.6916629"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Onwuzurike, L., and de Cristofaro, E. (2015, January 22\u201326). Danger is my middle name: Experimenting with SSL vulnerabilities in Android apps. Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec\u2019 15), New York, NY, USA.","DOI":"10.1145\/2766498.2766522"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Fahl, S., Harbach, M., Muders, T., Baumg\u00e4rtner, L., Freisleben, B., and Smith, M. (2012, January 16\u201318). Why eve and mallory love android: An analysis of android SSL (in)security. Proceedings of the 2012 ACM conference on Computer and Communications Security (CCS\u2019 12), Raleigh, NC, USA.","DOI":"10.1145\/2382196.2382205"},{"key":"ref_27","unstructured":"Tendulkar, V., and Enck, W. (2014). An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities. arXiv."},{"key":"ref_28","unstructured":"Moonsamy, V., and Batten, L. (2014). Mitigating Man-In-the-Middle Attacks on Smartphones\u2014A Discussion of SSL Pinning and DNSSec. Proceedings of the 12th Australian Information Security Management Conference, Edith Cowan University."},{"key":"ref_29","unstructured":"Graves, J. (2019, October 18). SSL Pinning for Increased App Security. Available online: https:\/\/possiblemobile.com\/2013\/03\/ssl-pinning-forincreased-app-security\/."},{"key":"ref_30","unstructured":"Andzakovic, D. (2019, September 16). Bypassing SSL Pinning on Android via Reverse Engineering. Available online: https:\/\/security-assessment.com\/files\/documents\/whitepapers\/BypassingSSLPinningonAndroidviaReverseEngineering.pdf."},{"key":"ref_31","unstructured":"Sierra, F., and Ramirez, A. (October, January 30). Defending your android app. Proceedings of the ACM Conference on Research in Information Technology, Chicago, IL, USA."},{"key":"ref_32","unstructured":"(2019, September 16). OWASP\u2014Mobile Security Testing Guide\u2014Android Anti-Reversing Defenses. Available online: https:\/\/mobile-security.gitbook.io\/mobile-security-testing-guide\/android-testing-guide\/0x05j-testing-resiliency-against-reverse-engineering."},{"key":"ref_33","unstructured":"Apple Inc (2019, September 03). Security Transforms Programming Guide. Available online: https:\/\/developer.apple.com\/library\/content\/documentation\/Security\/Conceptual\/SecTransformPG\/SigningandVerifying\/SigningandVerifying.html."},{"key":"ref_34","unstructured":"(2019, September 03). ProGuard. Available online: https:\/\/www.guardsquare.com\/en\/proguard."},{"key":"ref_35","unstructured":"(2019, September 03). iXGuard. Available online: https:\/\/www.guardsquare.com\/en\/ixguard."},{"key":"ref_36","unstructured":"(2019, September 03). APKtool. Available online: https:\/\/ibotpeaches.github.io\/Apktool."},{"key":"ref_37","unstructured":"(2019, September 03). Penetration Testing Tool: Dex2jar Package. Available online: https:\/\/tools.kali.org\/reverse-engineering\/dex2jar."},{"key":"ref_38","unstructured":"(2019, September 03). Android Developer: Logcat. Available online: https:\/\/developer.android.com\/studio\/command-line\/logcat."},{"key":"ref_39","unstructured":"(2019, September 16). SSLUnpinning\u2014Certificate Pinning Bypass. Available online: https:\/\/repo.xposed.info\/module\/mobi.acpm.sslunpinning."},{"key":"ref_40","unstructured":"(2019, September 03). Frida. Available online: https:\/\/www.frida.re\/."},{"key":"ref_41","unstructured":"(2019, September 03). Objection. Available online: https:\/\/github.com\/sensepost\/objection."}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/21\/12\/1136\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:36:30Z","timestamp":1760189790000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/21\/12\/1136"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11,21]]},"references-count":41,"journal-issue":{"issue":"12","published-online":{"date-parts":[[2019,12]]}},"alternative-id":["e21121136"],"URL":"https:\/\/doi.org\/10.3390\/e21121136","relation":{},"ISSN":["1099-4300"],"issn-type":[{"type":"electronic","value":"1099-4300"}],"subject":[],"published":{"date-parts":[[2019,11,21]]}}}