Publications

All of details of this work are described in the paper:

• Spinner: Semi-Automatic Detection of Pinning without Hostname Verification (paper, cite) published at ACSAC 2017.

The paper above built on our previous work on an more general analysis of TLS in UK banking apps. This included various TLS certificate mis-verification vulnerabilites, in addition to phishing attacks. Details of this work can be found here:

• Why Banker Bob (Still) Can’t Get TLS Right: A Security Analysis of TLS in Leading UK Banking Apps (paper, cite) published at FC 2017.