DCDroid:Automated Detection of SSL/TLS Certificate Verification Vulnerabilities in Android Apps
Current Android applications(apps)often use Security Socket Layer(SSL)/Transport Layer Security(TLS)protocols to transmit users'information,as the implementation of SSL/TLS secures the transmission of sensitive information.However,for various reasons,Android developers fail to properly implement SSL/TLS during the development of an app,resulting in security risks.The improper im-plementations include trusting all certificates,trusting all domain names,or ignoring certificate verification errors.These improper implementations may result in Man-In-The-Middle(MITM)attacks or phishing attacks.In this work,we are motivated to detect vulner-abilities in implementation of SSL/TLS in Android apps by design-ing and implementing a tool called DCDroid(Detecting SSL/TLS Certificate verification vulnerabilities in Android apps)with the combination of static analysis and dynamic analysis.We focus on four types of vulnerable schema and locate the potential vulnerable code snippets in apps with static analysis.In dynamic analysis,we prioritize the triggering of User Interface(UI)components based on the results with static analysis to confirm the misuse of SSL/TLS.The dynamic analysis benefits from the static analysis and removes false positives.With DCDroid we analyze 960 apps from Google Play and 1253 apps from 360app.The experimental results show that 457(20.65%)apps contain potential security risks in the im-plementation of SSL/TLS.Guided by the static analysis,we further confirm that 248(11.21%)out of 2213 apps are truly vulnerable to MITM and phishing attacks.By analyzing the categories,ranks and version evolution of these detected vulnerable apps,we find that apps of News&Books are more likely to introduce SSL/TLS risks.We also find that the fix cycle of the risk is very long.We provide suggestions on SSL/TLS certificate verification to Android developers in order to deal with the SSL/TLS certificate verification vulnerabilities.
Android security MITM SSL/TLS static analysis dynamic analysis
Yingjie Wang Xing Liu Weixuan Mao Wei Wang
Beijing Key Laboratory of Security and Privacy in Intelligent Transportation,Beijing Jiaotong Univer National Computer Network Emergency Response Technical Team/Coordination Center of China Beijing Key Laboratory of Security and Privacy in Intelligent Transportation,Beijing Jiaotong Univer
国际会议
2019国图灵大会(ACM Turing Celebration conference-China 2019 )
成都
英文
825-833
2019-05-17(万方平台首次上网日期,不代表论文的发表时间)