DCdroid: Automated detection of SSL/TLS certificate verification vulnerabilities in android apps

Type
Conference Paper

Authors
Wang, Yingjie
Mao, Weixuan
Liu, Xing
Wang, Wei

KAUST Department
Computer, Electrical and Mathematical Sciences and Engineering (CEMSE) Division

Online Publication Date
2019-07-19

Print Publication Date
2019

Date
2019-07-19

Abstract
Current Android applications (apps) often use Security Socket Layer(SSL)/Transport Layer Security(TLS) protocols to transmit users' information, as the implementation of SSL/TLS secures the transmission of sensitive information. However, for various reasons, Android developers fail to properly implement SSL/TLS during the development of an app, resulting in security risks. The improper implementations include trusting all certificates, trusting all domain names, or ignoring certificate verification errors. These improper implementations may result in Man-In-The-Middle(MITM) attacks or phishing attacks. In this work, we are motivated to detect vulnerabilities in implementation of SSL/TLS in Android apps by designing and implementing a tool called DCDroid (Detecting SSL/TLS Certificate verification vulnerabilities in Android apps) with the combination of static analysis and dynamic analysis. We focus on four types of vulnerable schema and locate the potential vulnerable code snippets in apps with static analysis. In dynamic analysis, we prioritize the triggering of User Interface(UI) components based on the results with static analysis to confirm the misuse of SSL/TLS. The dynamic analysis benefits from the static analysis and removes false positives. With DCDroid we analyze 960 apps from Google Play and 1253 apps from 360app. The experimental results show that 457 (20.65%) apps contain potential security risks in the implementation of SSL/TLS. Guided by the static analysis, we further confirm that 248 (11.21%) out of 2213 apps are truly vulnerable to MITM and phishing attacks. By analyzing the categories, ranks and version evolution of these detected vulnerable apps, we find that apps of News&Books are more likely to introduce SSL/TLS risks. We also find that the fix cycle of the risk is very long. We provide suggestions on SSL/TLS certificate verification to Android developers in order to deal with the SSL/TLS certificate verification vulnerabilities.

Citation
Wang, Y., Liu, X., Mao, W., & Wang, W. (2019). DCDroid. Proceedings of the ACM Turing Celebration Conference - China on - ACM TURC ’19. doi:10.1145/3321408.3326665

Acknowledgements
The work reported in this paper was supported in part by Natural Science Foundation of China, under Grant U1736114, and in part by National Key R&D Program of China, under grant 2017YFB0802805.

Publisher
Association for Computing Machinery (ACM)

Conference/Event Name
2019 ACM Turing Celebration Conference - China, ACM TURC 2019

DOI
10.1145/3321408.3326665

Additional Links
http://dl.acm.org/citation.cfm?doid=3321408.3326665

Permanent link to this record