DCdroid: Automated detection of SSL/TLS certificate verification vulnerabilities in android apps

Yingjie Wang, Weixuan Mao, Xing Liu, Wei Wang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations

Abstract

Current Android applications (apps) often use Security Socket Layer(SSL)/Transport Layer Security(TLS) protocols to transmit users' information, as the implementation of SSL/TLS secures the transmission of sensitive information. However, for various reasons, Android developers fail to properly implement SSL/TLS during the development of an app, resulting in security risks. The improper implementations include trusting all certificates, trusting all domain names, or ignoring certificate verification errors. These improper implementations may result in Man-In-The-Middle(MITM) attacks or phishing attacks. In this work, we are motivated to detect vulnerabilities in implementation of SSL/TLS in Android apps by designing and implementing a tool called DCDroid (Detecting SSL/TLS Certificate verification vulnerabilities in Android apps) with the combination of static analysis and dynamic analysis. We focus on four types of vulnerable schema and locate the potential vulnerable code snippets in apps with static analysis. In dynamic analysis, we prioritize the triggering of User Interface(UI) components based on the results with static analysis to confirm the misuse of SSL/TLS. The dynamic analysis benefits from the static analysis and removes false positives. With DCDroid we analyze 960 apps from Google Play and 1253 apps from 360app. The experimental results show that 457 (20.65%) apps contain potential security risks in the implementation of SSL/TLS. Guided by the static analysis, we further confirm that 248 (11.21%) out of 2213 apps are truly vulnerable to MITM and phishing attacks. By analyzing the categories, ranks and version evolution of these detected vulnerable apps, we find that apps of News&Books are more likely to introduce SSL/TLS risks. We also find that the fix cycle of the risk is very long. We provide suggestions on SSL/TLS certificate verification to Android developers in order to deal with the SSL/TLS certificate verification vulnerabilities.
Original languageEnglish (US)
Title of host publicationProceedings of the ACM Turing Celebration Conference - China on - ACM TURC '19
PublisherACM Press
ISBN (Print)9781450371582
DOIs
StatePublished - Jul 19 2019

Bibliographical note

KAUST Repository Item: Exported on 2020-10-01
Acknowledgements: The work reported in this paper was supported in part by Natural Science Foundation of China, under Grant U1736114, and in part by National Key R&D Program of China, under grant 2017YFB0802805.

Fingerprint

Dive into the research topics of 'DCdroid: Automated detection of SSL/TLS certificate verification vulnerabilities in android apps'. Together they form a unique fingerprint.

Cite this