Show simple item record

dc.contributor.authorWang, Yingjie
dc.contributor.authorXu, Guangquan
dc.contributor.authorLiu, Xing
dc.contributor.authorMao, Weixuan
dc.contributor.authorSi, Chengxiang
dc.contributor.authorPedrycz, Witold
dc.contributor.authorWang, Wei
dc.date.accessioned2020-05-04T11:17:38Z
dc.date.available2020-05-04T11:17:38Z
dc.date.issued2020-04-22
dc.date.submitted2019-09-15
dc.identifier.citationWang, Y., Xu, G., Liu, X., Mao, W., Si, C., Pedrycz, W., & Wang, W. (2020). Identifying vulnerabilities of SSL/TLS certificate verification in Android apps with static and dynamic analysis. Journal of Systems and Software, 167, 110609. doi:10.1016/j.jss.2020.110609
dc.identifier.issn0164-1212
dc.identifier.doi10.1016/j.jss.2020.110609
dc.identifier.urihttp://hdl.handle.net/10754/662718
dc.description.abstractMany Android developers fail to properly implement SSL/TLS during the development of an app, which may result in Man-In-The-Middle (MITM) attacks or phishing attacks. In this work, we design and implement a tool called DCDroid to detect these vulnerabilities with the combination of static and dynamic analysis. In static analysis, we focus on four types of vulnerable schema and locate the potential vulnerable code snippets in apps. In dynamic analysis, we prioritize the triggering of User Interface (UI) components based on the results obtained with static analysis to confirm the misuse of SSL/TLS. With DCDroid we analyze 2213 apps from Google Play and 360app. The experimental results show that 457 (20.65%) apps contain potential vulnerable code. We run apps with DCDroid on two Android smart phones and confirm that 245 (11.07%) of 2213 apps are truly vulnerable to MITM and phishing attacks. We propose several strategies to reduce the number of crashes and shorten the execution time in dynamic analysis. Comparing with our previous work, DCDroid decreases 57.18% of the number of apps’ crash and 32.47% of the execution time on average. It also outperforms other three tools, namely, AndroBugs, kingkong and appscan, in terms of detection accuracy.
dc.description.sponsorshipThe work reported in this paper was supported in part by Natural Science Foundation of China, under Grant U1736114, and in part by National Key R&D Program of China, under grant 2017YFB0802805.
dc.publisherElsevier BV
dc.relation.urlhttps://linkinghub.elsevier.com/retrieve/pii/S016412122030087X
dc.rightsNOTICE: this is the author’s version of a work that was accepted for publication in Journal of Systems and Software. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Journal of Systems and Software, [167, , (2020-04-22)] DOI: 10.1016/j.jss.2020.110609 . © 2020. This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0/
dc.titleIdentifying vulnerabilities of SSL/TLS certificate verification in Android apps with static and dynamic analysis
dc.typeArticle
dc.contributor.departmentComputer, Electrical and Mathematical Sciences and Engineering (CEMSE) Division
dc.identifier.journalJournal of Systems and Software
dc.rights.embargodate2022-04-27
dc.eprint.versionPost-print
dc.contributor.institutionBeijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China
dc.contributor.institutionBig Data School, Qingdao Huanghai University, China
dc.contributor.institutionTianjin Key Laboratory of Advanced Networking, College of Intelligence and Computing, Tianjin University, 300350 Tianjin, China
dc.contributor.institutionNational Computer Network Emergency Response Technical Team / Coordination Center of China, China
dc.contributor.institutionDepartment of Electrical and Computer Engineering, University of Alberta, Canada
dc.identifier.volume167
dc.identifier.pages110609
kaust.personWang, Wei
dc.date.accepted2020-04-17
dc.identifier.eid2-s2.0-85083770002
dc.date.published-online2020-04-22
dc.date.published-print2020-09


This item appears in the following Collection(s)

Show simple item record