About
I currently work as a Cybersecurity and Tech expert at Parquet National Financier. Find me on GitHub or LinkedIn, or email me at nabla.c0d3[at]gmail[dot]com
Research
Serverless vs Containers: A Case Study of Building and Securing Real-World Microservices
June 2019 - Cloud Expo 2019
Presentation about an experimentation we did at Data Theorem: building the same micro-service first using Google Cloud's Serverless platform, and then their container orchestration offering, to compare the benefits and downsides of each approach.
Where, how, and why is SSL traffic on mobile getting intercepted?
January 2018 - OWASP AppSec California
November 2017 - BlueHat v17
Presentation about our analysis of 10 million pinning failure reports coming from devices all around the world, that mobile developers who use TrustKit in their apps have shared with us.
iOS Application Security
February 2016 - Book release
I was the Technical Reviewer for David Thiel's "iOS Application Security". This book goes in great details about how to spot security issues affecting iOS Apps and how to avoid making these mistakes when building an App.
TrustKit: Code Injection on iOS 8 for the Greater Good
August 2015 - Black Hat USA 2015
Presentation about a new open-source library that makes it very easy to deploy SSL pinning in iOS or OS X Apps.
It Just (Net)Works: The Truth About iOS 7's Multipeer Connectivity Framework
October 2014 - Hack in The Box Kuala Lumpur 2014
August 2014 - Black Hat USA 2014
Presentation on how I reverse-engineered Apple's undocumented Multipeer Connectivity Framework. I also uncovered a man-in-the-middle attack allowing an attacker to downgrade the encryption level of the connection; this issue was later fixed by Apple in iOS 9 as CVE-2015-5851.
Security Audit of Cryptocat iOS
March 2014 - Security report
iSEC Partners performed a security audit of the Cryptocat chat application on iOS; this audit was commissioned by the Open Technology Fund and I was the lead tester on this project. The final report for the work we did has been made publicly available.
Introspy: Security Profiling for Blackbox iOS and Android
October 2013 - Ruxcon 2013
Presentation introducing Introspy, a tool to greatly simplify the process of finding security vulnerabilities in iOS and Android applications.
Everything you've always wanted to know about certificate validation with OpenSSL (but were afraid to ask)
October 2012 - Whitepaper
Whitepaper on how to properly perform certificate validation within an SSL client application using OpenSSL.
When security gets in the way: PenTesting mobile apps that use certificate pinning
July 2012 - Black Hat USA 2012
Presentation about how to bypass SSL certificate pinning when pentesting iOS and Android applications.
Open Source
SSLyze
Python library that can analyze the SSL/TLS configuration of a server by connecting to it. It is designed to be fast and comprehensive, and helps organizations and testers identify misconfigurations affecting their servers.
TrustKit iOS and TrustKit Android
Open source libraries for "Drag & Drop" SSL pinning and SSL reporting in iOS/macOS/Android Apps.
Trust Store Observatory
Python tool to continuously monitor and record the content of the major platforms' root certificate stores.
SSL Kill Switch
Blackbox tool to disable SSL certificate validation - including certificate pinning - within OS X and iOS Apps. The initial release was presented at the Black Hat USA conference in 2012.
SSL Conservatory - No longer maintained
Correct implementation of SSL is crucial to secure transmission of data between clients and servers. However, this crucial task is frequently done improperly, due to complex APIs and lack of understanding of SSL fundamentals. The SSL Conservatory is intended to be a clearinghouse for well-documented and secure sample code to correctly implement SSL clients.
Introspy - No longer maintained
Open-source security profiler for iOS, designed to help penetration testers understand what an application does at runtime.