1912

Detection of SSL/TLS Implementation Errors in Android Applications

Security Socket Layer (SSL) / Transport Layer Security (TLS) protocols are utilized to securenetwork communication (e.g., transmitting user data). Failing to properly implement SSL/TLSconfiguration during the app development results in security risks. The weak implementationsinclude trusting all host names, trusting all certificates, ignoring certificate verification errors,even lack of SSL public key pinning usage. These unsecured implementations may cause ManIn-The-Middle (MITM) attacks. The major aim of this research is to detect configuration errorsof SSL/TLS implementation in Android apps. It consists of the common use of existing opensource tools in the static analysis phase and the combination of manual method in the dynamicanalysis phase. During the static analysis phase, dynamic analysis of the findings obtained byscanning four types of vulnerabilities is used to verify the abuse status of SSL/TLS by testing.The dynamic analysis is essential for eliminating false positives generated at the static analysisstage. We analyze 109 apps from Google Play Store and the experimental results show that 45(41.28%) apps contain potential security errors in the application of SSL/TLS. We verify that 19(17.43%) out of 109 apps are vulnerable to MITM attacks.

PDF

___

[1] “Smartphone users 2020”, (2020). Statista,https://www.statista.com/statistics/330695/number-ofsmartphone-users-worldwide/
[2] “Android versions market share 2019”, (2020). Statista, https://www.statista.com/statistics/271774/share-of-android-platforms-on-mobile-devices-withandroid-os/
[3] “Google Play Store: number of apps 2020”, (2020). Statista, https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/
[4] Rescorla,E. “HTTP Over TLS”. (2000). https://tools.ietf.org/html/rfc2818.
[5] Akhawe, D., & Felt, A. P., (2013). Alice in warningland: A large-scale field study of browser security warning effectiveness. In 22nd USENIX Security Symposium (USENIX Security 13), 257-272.
[6] Felt, A.P., Ainslie, A.,Reeder,R.W., Consolvo,S., Thyagaraja,S., Bettes,A., Harris,H., &Grimes,J. (2015). Improving SSL Warnings: Comprehension and Adherence. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems(pp. 2893–2902).
[7] Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., &Cranor, L. F. (2009). Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In USENIX security symposium (pp. 399-416).
[8] Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., & Smith, M. (2012). Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 50-61).
[9] Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., & Khan, L. (2014). Smv-hunter: Large scale, automated detection of ssl/tls man-in-the-middle vulnerabilities in android apps. In In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS’14.
[10] Liu, Y., Zuo, C., Zhang, Z., Guo, S., & Xu, X. (2018). An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps. World Wide Web, 21(1), 127-150.
[11] Wang, Y., Liu, X., Mao, W., & Wang, W. (2019). Dcdroid: Automated detection of ssl/tls certificate verification vulnerabilities in android apps. In Proceedings of the ACM Turing Celebration Conference-China (pp. 1-9).
[12] Security with HTTPS and SSL. (n.d.). Android Developers, https://developer.android.com/training/articles/security-ssl
[13] Changes to Trusted Certificate Authorities in Android Nougat, Android Developers Blog, https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html.
[14] Behavior changes: All apps | Android Developers. (n.d.). https://developer.android.com/about/versions/pie/android-9.0-changes-all.
[15] Wei, X., & Wolf, M. (2017). A survey on HTTPS implementation by Android apps: issues and countermeasures. Applied Computing and Informatics, 13(2), 101-117.
[16] Lin, Y.-C., AndroBugs/AndroBugs_Framework. (2021). GitHub.
[17] “GitHub-MobSF/Mobile-Security-Framework-MobSF”. https://github.com/MobSF/Mobile-SecurityFramework-MobSF. [18] “monkeyrunner”. Android Developers. https://developer.android.com/studio/test/monkeyrunner.
[19] Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J.,& McDaniel, P. (2014). Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. AcmSigplan Notices, 49(6), 259-269.
[20] Yan, L. K., & Yin, H. (2012). Droidscope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In 21st USENIX Security Symposium (USENIX Security 12) (pp. 569-584).
[21] “Android Debug Bridge (adb)”. Android Developers. https://developer.android.com/studio/command-line/adb. [22] Milano, D. T., dtmilano/AndroidViewClient. (2021). https://github.com/dtmilano/AndroidViewClient
[23] Milano, D. T., (2021). https://github.com/dtmilano/AndroidViewClient/wiki/culebra. [24] “Burp Suite - Application Security Testing Software”.https://portswigger.net/burp.
[25] “mitmproxy - an interactive HTTPS proxy”. https://mitmproxy.org/.
[26] “Offensive Security Introduces Kali Linux”. https://www.kali.org/offensive-security-introduces-kalilinux/.