Danger is My Middle Name: Experimenting with SSL Vulnerabilities in Android Apps
Abstract
This paper presents a measurement study of information leakage and SSL vulnerabilities in popular Android apps. We perform static and dynamic analysis on 100 apps, downloaded at least 10M times, that request full network access. Our experiments show that, although prior work has drawn a lot of attention to SSL implementations on mobile platforms, several popular apps (32/100) accept all certificates and all hostnames, and four actually transmit sensitive data unencrypted. We set up an experimental testbed simulating man-in-the-middle attacks and find that many apps (up to 91% when the adversary has a certificate installed on the victim's device) are vulnerable, allowing the attacker to access sensitive information, including credentials, files, personal details, and credit card numbers. Finally, we provide a few recommendations to app developers and highlight several open research problems.
- Publication:
-
arXiv e-prints
- Pub Date:
- May 2015
- DOI:
- 10.48550/arXiv.1505.00589
- arXiv:
- arXiv:1505.00589
- Bibcode:
- 2015arXiv150500589O
- Keywords:
-
- Computer Science - Cryptography and Security;
- Computer Science - Software Engineering
- E-Print:
- A preliminary version of this paper appears in the Proceedings of ACM WiSec 2015. This is the full version