@inproceedings{conf/uss/OltroggeAD0F15, added-at = {2016-08-19T00:00:00.000+0200}, author = {Oltrogge, Marten and Acar, Yasemin and Dechand, Sergej and Smith, Matthew and Fahl, Sascha}, biburl = {https://www.bibsonomy.org/bibtex/244e41bafe7a71f871c36982832f3932f/dblp}, booktitle = {USENIX Security Symposium}, crossref = {conf/uss/2015}, editor = {Jung, Jaeyeon and Holz, Thorsten}, ee = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/oltrogge}, interhash = {186f114e6fac501d5a55c5b2696237f8}, intrahash = {44e41bafe7a71f871c36982832f3932f}, keywords = {dblp}, pages = {239-254}, publisher = {USENIX Association}, timestamp = {2016-08-20T11:35:41.000+0200}, title = {To Pin or Not to Pin-Helping App Developers Bullet Proof Their TLS Connections.}, url = {http://dblp.uni-trier.de/db/conf/uss/uss2015.html#OltroggeAD0F15}, year = 2015 } @inproceedings{190898, abstract = {For increased security during TLS certificate validation, a common recommendation is to use a variation of pinning. Especially non-browser software developers are encouraged to limit the number of trusted certificates to a minimum, since the default CA-based approach is known to be vulnerable to serious security threats. The decision for or against pinning is always a tradeoff between increasing security and keeping maintenance efforts at an acceptable level. In this paper, we present an extensive study on the applicability of pinning for non-browser software by analyzing 639,283 Android apps. Conservatively, we propose pinning as an appropriate strategy for 11,547 (1.8%) apps or for 45,247 TLS connections (4.25%) in our sample set. With a more optimistic classification of borderline cases, we propose pinning for consideration for 58,817 (9.1%) apps or for 140,020 (3.8%1) TLS connections. This weakens the assumption that pinning is a widely usable strategy for TLS security in non-browser software. However, in a nominalactual comparison, we find that only 45 apps actually implement pinning. We collected developer feedback from 45 respondents and learned that only a quarter of them grasp the concept of pinning, but still find pinning too complex to use. Based on their feedback, we built an easy-to-use web-application that supports developers in the decision process and guides them through the correct deployment of a pinning-protected TLS implementation.}, added-at = {2016-01-12T13:04:20.000+0100}, address = {Washington, D.C.}, author = {Oltrogge, Marten and Acar, Yasemin and Dechand, Sergej and Smith, Matthew and Fahl, Sascha}, biburl = {https://www.bibsonomy.org/bibtex/28c75d47aee390ed5c30586b98f64cb87/smithl3s}, booktitle = {24th USENIX Security Symposium (USENIX Security 15)}, interhash = {186f114e6fac501d5a55c5b2696237f8}, intrahash = {8c75d47aee390ed5c30586b98f64cb87}, isbn = {978-1-931971-232}, keywords = {TLS android apps certificate myown pinning security}, month = aug, pages = {239-254}, publisher = {USENIX Association}, timestamp = {2020-04-17T12:11:05.000+0200}, title = {To Pin or Not to Pin—Helping App Developers Bullet Proof Their TLS Connections}, url = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/oltrogge}, year = 2015 }