I'm a software engineer at Data Theorem. Find me on GitHub or LinkedIn, or email me at nabla.c0d3[at]gmail[dot]com


Serverless vs Containers: A Case Study of Building and Securing Real-World Microservices

June 2019 - Cloud Expo 2019

Presentation about an experimentation we did at Data Theorem: building the same micro-service first using Google Cloud's Serverless platform, and then their container orchestration offering, to compare the benefits and downsides of each approach.

Where, how, and why is SSL traffic on mobile getting intercepted?

January 2018 - OWASP AppSec California

November 2017 - BlueHat v17

Presentation about our analysis of 10 million pinning failure reports coming from devices all around the world, that mobile developers who use TrustKit in their apps have shared with us.

iOS Application Security

February 2016 - Book release

I was the Technical Reviewer for David Thiel's "iOS Application Security". This book goes in great details about how to spot security issues affecting iOS Apps and how to avoid making these mistakes when building an App.

TrustKit: Code Injection on iOS 8 for the Greater Good

August 2015 - Black Hat USA 2015

Presentation about a new open-source library that makes it very easy to deploy SSL pinning in iOS or OS X Apps.

It Just (Net)Works: The Truth About iOS 7's Multipeer Connectivity Framework

October 2014 - Hack in The Box Kuala Lumpur 2014

August 2014 - Black Hat USA 2014

Presentation on how I reverse-engineered Apple's undocumented Multipeer Connectivity Framework. I also uncovered a man-in-the-middle attack allowing an attacker to downgrade the encryption level of the connection; this issue was later fixed by Apple in iOS 9 as CVE-2015-5851.

Security Audit of Cryptocat iOS

March 2014 - Security report

iSEC Partners performed a security audit of the Cryptocat chat application on iOS; this audit was commissioned by the Open Technology Fund and I was the lead tester on this project. The final report for the work we did has been made publicly available.

Introspy: Security Profiling for Blackbox iOS and Android

October 2013 - Ruxcon 2013

Presentation introducing Introspy, a tool to greatly simplify the process of finding security vulnerabilities in iOS and Android applications.

Everything you've always wanted to know about certificate validation with OpenSSL (but were afraid to ask)

October 2012 - Whitepaper

Whitepaper on how to properly perform certificate validation within an SSL client application using OpenSSL.

When security gets in the way: PenTesting mobile apps that use certificate pinning

July 2012 - Black Hat USA 2012

Presentation about how to bypass SSL certificate pinning when pentesting iOS and Android applications.

Open Source


Python library that can analyze the SSL/TLS configuration of a server by connecting to it. It is designed to be fast and comprehensive, and helps organizations and testers identify misconfigurations affecting their servers.

TrustKit iOS and TrustKit Android

Open source libraries for "Drag & Drop" SSL pinning and SSL reporting in iOS/macOS/Android Apps.

Trust Store Observatory

Python tool to continuously monitor and record the content of the major platforms' root certificate stores.

SSL Kill Switch

Blackbox tool to disable SSL certificate validation - including certificate pinning - within OS X and iOS Apps. The initial release was presented at the Black Hat USA conference in 2012.

SSL Conservatory - No longer maintained

Correct implementation of SSL is crucial to secure transmission of data between clients and servers. However, this crucial task is frequently done improperly, due to complex APIs and lack of understanding of SSL fundamentals. The SSL Conservatory is intended to be a clearinghouse for well-documented and secure sample code to correctly implement SSL clients.

Introspy - No longer maintained

Open-source security profiler for iOS, designed to help penetration testers understand what an application does at runtime.