skip to main content
10.1145/2382196.2382205acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Why eve and mallory love android: an analysis of android SSL (in)security

Published: 16 October 2012 Publication History

Abstract

Many Android apps have a legitimate need to communicate over the Internet and are then responsible for protecting potentially sensitive data during transit. This paper seeks to better understand the potential security threats posed by benign Android apps that use the SSL/TLS protocols to protect data they transmit. Since the lack of visual security indicators for SSL/TLS usage and the inadequate use of SSL/TLS can be exploited to launch Man-in-the-Middle (MITM) attacks, an analysis of 13,500 popular free apps downloaded from Google's Play Market is presented.
We introduce MalloDroid, a tool to detect potential vulnerability against MITM attacks. Our analysis revealed that 1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data. Furthermore, an online survey was conducted to evaluate users' perceptions of certificate warnings and HTTPS visual security indicators in Android's browser, showing that half of the 754 participating users were not able to correctly judge whether their browser session was protected by SSL/TLS or not. We conclude by considering the implications of these findings and discuss several countermeasures with which these problems could be alleviated.

References

[1]
X.509 Internet Public Key Infrastructure, Online Certificate Status Protocol - OCSP. http://tools.ietf.org/html/rfc2560.
[2]
RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. http://tools.ietf.org/html/rfc5280, 2008.
[3]
S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A. Sadeghi, and B. Shastry. Towards Taming Privilege-Escalation Attacks on Android. In Proceedings of the 19th Network and Distributed System Security Symposium, 2012.
[4]
L. Davi, A. Dmitrienko, A. Sadeghi, and M. Winandy. Privilege Escalation Attacks on Android. In Proceedings of the 13th International Conference on Information Security, pages 346--360, 2011.
[5]
S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In Proceedings of the 26th Annual SIGCHI Conference on Human Factors in Computing Systems, pages 1065--1074, 2008.
[6]
A. Egners, B. Marschollek, and U. Meyer. Messing with Android's Permission Model. In Proceedings of the IEEE TrustCom, pages 1--22, 2012.
[7]
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System For Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pages 393--407, 2010.
[8]
W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Conference on Security, 2011.
[9]
W. Enck, M. Ongtang, and P. McDaniel. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 235--245, 2009.
[10]
W. Enck, M. Ongtang, and P. McDaniel. Understanding Android Security. In Proceedings of the IEEE International Conference on Security & Privacy, pages 50--57, 2009.
[11]
C. Jackson and A. Barth. ForceHTTPS: Protecting High-security Web Sites From Network Attacks. In Proceeding of the 17th International Conference on World Wide Web, pages 525--534, 2008.
[12]
M. Marlinspike. More Tricks For Defeating SSL In Practice. In Black Hat USA, 2009.
[13]
M. Marlinspike. New Tricks for Defeating SSL in Practice. In Black Hat Europe, 2009.
[14]
P. McDaniel and W. Enck. Not So Great Expectations: Why Application Markets Haven't Failed Security. IEEE Security & Privacy, 8(5):76--78, 2010.
[15]
M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model And Enforcement With User-defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332, 2010.
[16]
A. Porter Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, pages 627--638, 2011.
[17]
A. Porter Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android Permissions: User Attention, Comprehension, and Behavior. In Proceedings of the 8th Symposium on Usable Privacy and Security, 2012.
[18]
G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos. Paranoid Android: Versatile Protection for Smartphones. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 347--356, 2010.
[19]
A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, and C. Glezer. Google Android: A Comprehensive Security Assessment. Security & Privacy, IEEE, 8(2):35--44, 2010.
[20]
D. Shin and R. Lopes. An Empirical Study of Visual Security Cues to Prevent The SSLstripping Attack. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 287--296, 2011.
[21]
Y. Song, C. Yang, and G. Gu. Who is Peeping at Your Passwords at Starbucks? -- To Catch An Evil Twin Access Point. In IEEE/IFIP International Conference on Dependable Systems and Networks, pages 323--332, 2010.
[22]
A. Sotirakopoulos and K. Hawkey. "I Did it Because I Trusted You": Challenges With The Study Environment Biasing Participant Behaviours. In Proceedings of the 6th Symposium on Usable Privacy and Security, 2010.
[23]
A. Sotirakopoulos, K. Hawkey, and K. Beznosov. On the Challenges in Usable Security Lab Studies: Lessons Learned From Replicating a Study on SSL Warnings. In Proceedings of the 7th Symposium on Usable Privacy and Security, 2011.
[24]
J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proceedings of the 18th USENIX Security Symposium, pages 399--416, 2009.
[25]
T. Vidas, D. Votipka, and N. Christin. All Your Droid Are Belong To Us: A Survey Of Current Android Attacks. In Proceedings of the 5th USENIX Workshop on Offensive Technologies, pages 10--10, 2011.
[26]
Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, 2012.

Cited By

View all
  • (2025)Mind your indices! Index hijacking attacks on collaborative unpooling autoencoder systemsInternet of Things10.1016/j.iot.2024.10146229(101462)Online publication date: Jan-2025
  • (2025)Developer-Centred SecurityEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1578(634-636)Online publication date: 8-Jan-2025
  • (2024)The challenges of bringing cryptography from research papers to productsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699303(7213-7230)Online publication date: 14-Aug-2024
  • Show More Cited By

Index Terms

  1. Why eve and mallory love android: an analysis of android SSL (in)security

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security
      October 2012
      1088 pages
      ISBN:9781450316514
      DOI:10.1145/2382196
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 16 October 2012

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. android
      2. apps
      3. mitma
      4. security
      5. ssl

      Qualifiers

      • Research-article

      Conference

      CCS'12
      Sponsor:
      CCS'12: the ACM Conference on Computer and Communications Security
      October 16 - 18, 2012
      North Carolina, Raleigh, USA

      Acceptance Rates

      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)223
      • Downloads (Last 6 weeks)9
      Reflects downloads up to 19 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2025)Mind your indices! Index hijacking attacks on collaborative unpooling autoencoder systemsInternet of Things10.1016/j.iot.2024.10146229(101462)Online publication date: Jan-2025
      • (2025)Developer-Centred SecurityEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_1578(634-636)Online publication date: 8-Jan-2025
      • (2024)The challenges of bringing cryptography from research papers to productsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699303(7213-7230)Online publication date: 14-Aug-2024
      • (2024)Voice app developer experiences with alexa and google assistantProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699182(5035-5052)Online publication date: 14-Aug-2024
      • (2024)Racing for TLS certificate validationProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698939(683-700)Online publication date: 14-Aug-2024
      • (2024)The Not-So-Silent Type: Vulnerabilities in Chinese IME Keyboards' Network Security ProtocolsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690302(1701-1715)Online publication date: 2-Dec-2024
      • (2024)Boosting API Misuse Detection via Integrating API Constraints from Multiple SourcesProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3644904(14-26)Online publication date: 15-Apr-2024
      • (2024)An Investigation into Misuse of Java Security APIs by Large Language ModelsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661134(1299-1315)Online publication date: 1-Jul-2024
      • (2024)Examining Cryptography and Randomness Failures in Open-Source Cellular CoresProceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy10.1145/3626232.3653259(43-54)Online publication date: 19-Jun-2024
      • (2024)On the Complexity of the Web’s PKI: Evaluating Certificate Validation of Mobile BrowsersIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.325586921:1(419-433)Online publication date: Jan-2024
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media