DCdroid: Automated detection of SSL/TLS certificate verification vulnerabilities in android apps
Online Publication Date2019-07-19
Print Publication Date2019
Permanent link to this recordhttp://hdl.handle.net/10754/660597
MetadataShow full item record
AbstractCurrent Android applications (apps) often use Security Socket Layer(SSL)/Transport Layer Security(TLS) protocols to transmit users' information, as the implementation of SSL/TLS secures the transmission of sensitive information. However, for various reasons, Android developers fail to properly implement SSL/TLS during the development of an app, resulting in security risks. The improper implementations include trusting all certificates, trusting all domain names, or ignoring certificate verification errors. These improper implementations may result in Man-In-The-Middle(MITM) attacks or phishing attacks. In this work, we are motivated to detect vulnerabilities in implementation of SSL/TLS in Android apps by designing and implementing a tool called DCDroid (Detecting SSL/TLS Certificate verification vulnerabilities in Android apps) with the combination of static analysis and dynamic analysis. We focus on four types of vulnerable schema and locate the potential vulnerable code snippets in apps with static analysis. In dynamic analysis, we prioritize the triggering of User Interface(UI) components based on the results with static analysis to confirm the misuse of SSL/TLS. The dynamic analysis benefits from the static analysis and removes false positives. With DCDroid we analyze 960 apps from Google Play and 1253 apps from 360app. The experimental results show that 457 (20.65%) apps contain potential security risks in the implementation of SSL/TLS. Guided by the static analysis, we further confirm that 248 (11.21%) out of 2213 apps are truly vulnerable to MITM and phishing attacks. By analyzing the categories, ranks and version evolution of these detected vulnerable apps, we find that apps of News&Books are more likely to introduce SSL/TLS risks. We also find that the fix cycle of the risk is very long. We provide suggestions on SSL/TLS certificate verification to Android developers in order to deal with the SSL/TLS certificate verification vulnerabilities.
CitationWang, Y., Liu, X., Mao, W., & Wang, W. (2019). DCDroid. Proceedings of the ACM Turing Celebration Conference - China on - ACM TURC ’19. doi:10.1145/3321408.3326665
SponsorsThe work reported in this paper was supported in part by Natural Science Foundation of China, under Grant U1736114, and in part by National Key R&D Program of China, under grant 2017YFB0802805.
Conference/Event name2019 ACM Turing Celebration Conference - China, ACM TURC 2019