z-logo
open-access-imgOpen Access
DCDroid
Author(s) -
Yingjie Wang,
Xing Liu,
Weixuan Mao,
Wei Wang
Publication year - 2019
Publication title -
proceedings of the acm turing celebration conference - china
Language(s) - English
Resource type - Conference proceedings
ISBN - 978-1-4503-7158-2
DOI - 10.1145/3321408.3326665
Subject(s) - computer science , android (operating system) , transport layer security , phishing , man in the middle attack , static analysis , computer security , false positive paradox , implementation , certificate , application security , world wide web , information security , authentication (law) , operating system , the internet , software security assurance , encryption , software engineering , security service , algorithm , machine learning , programming language
Current Android applications (apps) often use Security Socket Layer(SSL)/Transport Layer Security(TLS) protocols to transmit users' information, as the implementation of SSL/TLS secures the transmission of sensitive information. However, for various reasons, Android developers fail to properly implement SSL/TLS during the development of an app, resulting in security risks. The improper implementations include trusting all certificates, trusting all domain names, or ignoring certificate verification errors. These improper implementations may result in Man-In-The-Middle(MITM) attacks or phishing attacks. In this work, we are motivated to detect vulnerabilities in implementation of SSL/TLS in Android apps by designing and implementing a tool called DCDroid (Detecting SSL/TLS Certificate verification vulnerabilities in Android apps) with the combination of static analysis and dynamic analysis. We focus on four types of vulnerable schema and locate the potential vulnerable code snippets in apps with static analysis. In dynamic analysis, we prioritize the triggering of User Interface(UI) components based on the results with static analysis to confirm the misuse of SSL/TLS. The dynamic analysis benefits from the static analysis and removes false positives. With DCDroid we analyze 960 apps from Google Play and 1253 apps from 360app. The experimental results show that 457 (20.65%) apps contain potential security risks in the implementation of SSL/TLS. Guided by the static analysis, we further confirm that 248 (11.21%) out of 2213 apps are truly vulnerable to MITM and phishing attacks. By analyzing the categories, ranks and version evolution of these detected vulnerable apps, we find that apps of News&Books are more likely to introduce SSL/TLS risks. We also find that the fix cycle of the risk is very long. We provide suggestions on SSL/TLS certificate verification to Android developers in order to deal with the SSL/TLS certificate verification vulnerabilities.

The content you want is available to Zendy users.

Already have an account? Click here to sign in.
Having issues? You can contact us here
Accelerating Research

Address

John Eccles House
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom