June 2019 - Cloud Expo 2019
Presentation about an experimentation we did at Data Theorem: building the same micro-service first using Google Cloud's Serverless platform, and then their container orchestration offering, to compare the benefits and downsides of each approach.
January 2018 - OWASP AppSec California
November 2017 - BlueHat v17
Presentation about our analysis of 10 million pinning failure reports coming from devices all around the world, that mobile developers who use TrustKit in their apps have shared with us.
February 2016 - Book release
I was the Technical Reviewer for David Thiel's "iOS Application Security". This book goes in great details about how to spot security issues affecting iOS Apps and how to avoid making these mistakes when building an App.
August 2015 - Black Hat USA 2015
Presentation about a new open-source library that makes it very easy to deploy SSL pinning in iOS or OS X Apps.
Presentation on how I reverse-engineered Apple's undocumented Multipeer Connectivity Framework. I also uncovered a man-in-the-middle attack allowing an attacker to downgrade the encryption level of the connection; this issue was later fixed by Apple in iOS 9 as CVE-2015-5851.
March 2014 - Security report
iSEC Partners performed a security audit of the Cryptocat chat application on iOS; this audit was commissioned by the Open Technology Fund and I was the lead tester on this project. The final report for the work we did has been made publicly available.
October 2013 - Ruxcon 2013
Presentation introducing Introspy, a tool to greatly simplify the process of finding security vulnerabilities in iOS and Android applications.
Everything you've always wanted to know about certificate validation with OpenSSL (but were afraid to ask)
October 2012 - Whitepaper
Whitepaper on how to properly perform certificate validation within an SSL client application using OpenSSL.
July 2012 - Black Hat USA 2012
Presentation about how to bypass SSL certificate pinning when pentesting iOS and Android applications.
Open source libraries for "Drag & Drop" SSL pinning and SSL reporting in iOS/macOS/Android Apps.
Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify misconfigurations affecting their SSL servers.
Python tool to continuously monitor and record the content of the major platforms' root certificate stores.
Blackbox tool to disable SSL certificate validation - including certificate pinning - within OS X and iOS Apps. The initial release was presented at the Black Hat USA conference in 2012.
SSL Conservatory - No longer maintained
Correct implementation of SSL is crucial to secure transmission of data between clients and servers. However, this crucial task is frequently done improperly, due to complex APIs and lack of understanding of SSL fundamentals. The SSL Conservatory is intended to be a clearinghouse for well-documented and secure sample code to correctly implement SSL clients.
Introspy - No longer maintained
Open-source security profiler for iOS, designed to help penetration testers understand what an application does at runtime.