skip to main content
10.1145/2766498.2766522acmconferencesArticle/Chapter ViewAbstractPublication PageswisecConference Proceedingsconference-collections
short-paper

Danger is my middle name: experimenting with SSL vulnerabilities in Android apps

Published: 22 June 2015 Publication History

Abstract

This paper presents a measurement study of information leakage and SSL vulnerabilities in popular Android apps. We perform static and dynamic analysis on 100 apps, downloaded at least 10M times, that request full network access. Our experiments show that, although prior work has drawn a lot of attention to SSL implementations on mobile platforms, several popular apps (32/100) accept all certificates and all hostnames, and four actually transmit sensitive data unencrypted. We set up an experimental testbed simulating man-in-the-middle attacks and find that many apps (up to 91% when the adversary has a certificate installed on the victim's device) are vulnerable, allowing the attacker to access sensitive information, including credentials, files, personal details, and credit card numbers. Finally, we provide a few recommendations to app developers and highlight several open research problems.

References

[1]
Android Advertising ID. https://developer.android.com/google/play-services/id.html.
[2]
AndroidRank. http://www.androidrank.org/.
[3]
dex2jar. https://code.google.com/p/dex2jar/.
[4]
Fiddler. http://www.telerik.com/fiddler.
[5]
Java decompiler. http://jd.benow.ca/.
[6]
Wireshark. https://www.wireshark.org/.
[7]
D. Akhawe and A. P. Felt. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. In USENIX Security, 2013.
[8]
C. Amrutkar, P. Traynor, and P. C. van Oorschot. Measuring SSL indicators on mobile browsers: extended life, or end of the road? In ISC, 2012.
[9]
K. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android permission specification. In CCS, 2012.
[10]
D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A methodology for Empirical Analysis of Permission-based Security Models and Its Application to Android. In CCS, 2010.
[11]
A. Bates, J. Pletcher, T. Nichols, B. Hollembaek, D. Tian, K. R. Butler, and A. Alkhelaifi. Securing SSL Certificate Verification through Dynamic Linking. In CCS, 2014.
[12]
C. Brubaker, S. Jana, B. Ray, S. Khurshid, and V. Shmatikov. Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations. In S&P, 2014.
[13]
S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards Taming Privilege-Escalation Attacks on Android. In NDSS, 2012.
[14]
M. Conti, N. Dragoni, and S. Gottardo. Mithys: Mind the Hand you Shake--Protecting Mobile Devices from SSL Usage Vulnerabilities. In STM, 2013.
[15]
A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang. The Tangled Web of Password Reuse. In NDSS, 2014.
[16]
L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In ISC, 2011.
[17]
M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In CCS, 2013.
[18]
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones. CACM, 57(3), 2014.
[19]
S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In CCS, 2012.
[20]
S. Fahl, M. Harbach, H. Perl, M. Koetter, and M. Smith. Rethinking SSL Development in an Appified World. In CCS, 2013.
[21]
A. P. Felt et al. Improving SSL Warnings: Comprehension and Adherence. In CHI, 2015.
[22]
T. Fox-Brewster. Check the permissions: Android flashlight apps criticised over privacy. http://gu.com/p/425gm/stw, 2015.
[23]
M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. In CCS, 2012.
[24]
Google. Google Play Developer Program Policies. https://play.google.com/about/developer-content-policy.html, 2015.
[25]
M. Kranch and J. Bonneau. Upgrading https in mid-air: An empirical study of strict transport security and key pinning. In NDSS, 2015.
[26]
M. Miettinen, S. Heuser, W. Kronz, A.-R. Sadeghi, and N. Asokan. ConXsense: Automated Context Classification for Context-aware Access Control. In ASIACCS, 2014.
[27]
L. Onwuzurike and E. De Cristofaro. Danger is my middle name -- Experimenting with SSL Vulnerabilities in Android Apps (Full Version). http://arxiv.org/pdf/1505.00589.pdf, 2015.
[28]
D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. SMV-HUNTER: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps. In NDSS, 2014.
[29]
S.-T. Sun and K. Beznosov. The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems. In CCS, 2012.
[30]
J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In USENIX Security, 2009.
[31]
N. Viennot, E. Garcia, and J. Nieh. A Measurement Study of Google Play. In SIGMETRICS, 2014.
[32]
X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Malicious Android applications in the enterprise: What do they do and how do we fix it? In Data Engineering Workshops, 2012.
[33]
Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In NDSS, 2012.
[34]
Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on android). In TRUST, 2011.

Cited By

View all
  • (2024)The Not-So-Silent Type: Vulnerabilities in Chinese IME Keyboards' Network Security ProtocolsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690302(1701-1715)Online publication date: 2-Dec-2024
  • (2024)On the Complexity of the Web’s PKI: Evaluating Certificate Validation of Mobile BrowsersIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.325586921:1(419-433)Online publication date: Jan-2024
  • (2024)Security Analysis of Google Authenticator, Microsoft Authenticator, and AuthyDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_13(197-206)Online publication date: 3-Apr-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
WiSec '15: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks
June 2015
256 pages
ISBN:9781450336239
DOI:10.1145/2766498
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 June 2015

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Android security
  2. information leakage
  3. privacy

Qualifiers

  • Short-paper

Conference

WiSec'15
Sponsor:
  • SIGSAC
  • US Army Research Office
  • NSF

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)16
  • Downloads (Last 6 weeks)2
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)The Not-So-Silent Type: Vulnerabilities in Chinese IME Keyboards' Network Security ProtocolsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690302(1701-1715)Online publication date: 2-Dec-2024
  • (2024)On the Complexity of the Web’s PKI: Evaluating Certificate Validation of Mobile BrowsersIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.325586921:1(419-433)Online publication date: Jan-2024
  • (2024)Security Analysis of Google Authenticator, Microsoft Authenticator, and AuthyDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_13(197-206)Online publication date: 3-Apr-2024
  • (2022)Digital Forensic Case Studies for In-Vehicle Infotainment Systems Using Android Auto and Apple CarPlaySensors10.3390/s2219719622:19(7196)Online publication date: 22-Sep-2022
  • (2022)Analysis of Payment Service Provider SDKs in AndroidProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564641(576-590)Online publication date: 5-Dec-2022
  • (2022)Eavesdropping user credentials via GPU side channels on smartphonesProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507757(285-299)Online publication date: 28-Feb-2022
  • (2022)Assessing certificate validation user interfaces of WPA supplicantsProceedings of the 28th Annual International Conference on Mobile Computing And Networking10.1145/3495243.3517026(501-513)Online publication date: 14-Oct-2022
  • (2022)BatteryLab: A Collaborative Platform for Power MonitoringPassive and Active Measurement10.1007/978-3-030-98785-5_5(97-121)Online publication date: 22-Mar-2022
  • (2021)Are You Dating Danger? An Interdisciplinary Approach to Evaluating the (In)Security of Android Dating AppsIEEE Transactions on Sustainable Computing10.1109/TSUSC.2017.27838586:2(197-207)Online publication date: 1-Apr-2021
  • (2020)CardplianceProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489298(1517-1533)Online publication date: 12-Aug-2020
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media