This talk will take an in-depth look at the certificate authorities (CAs) found on mobile devices today. The CAs included in our mobile devices make up the roots of trust that our secure network transactions rely on to validate that the servers we are talking to are who they say they are. Focusing specifically on mobile devices, but also addressing non-mobile, this talk will look at the current state of and the changes happening with the CAs, including who is there, who is being added, and who is being removed. Additionally, this talk will look at the technical changes happening for mobile app developers in the latest mobile operating systems to help take control of the trust chain via techniques like certificate pinning and the trusting (or not trusting) of specific certificate authorities. Furthermore, it will offer a case-study of how some app developers are already actively limiting the CAs they trust.
Andrew Blaich is a staff security engineer and researcher at Lookout where he is focused on the securing, responding to, and defending all things mobile. Prior to Lookout, Andrew was the Lead Security Analyst at Bluebox Security. He holds a Ph.D. in computer science and engineering from the University of Notre Dame in enterprise security and wireless networking. In the past, Andrew has worked at both Samsung and Qualcomm Research. Andrew has presented at conferences including RSA, Interop, and SANS DFIR. In his free time, he loves to research the security of IoT devices.