TY - JOUR
T1 - Identifying vulnerabilities of SSL/TLS certificate verification in Android apps with static and dynamic analysis
AU - Wang, Yingjie
AU - Xu, Guangquan
AU - Liu, Xing
AU - Mao, Weixuan
AU - Si, Chengxiang
AU - Pedrycz, Witold
AU - Wang, Wei
N1 - KAUST Repository Item: Exported on 2020-10-01
Acknowledgements: The work reported in this paper was supported in part by Natural Science Foundation of China, under Grant U1736114, and in part by National Key R&D Program of China, under grant 2017YFB0802805.
PY - 2020/4/22
Y1 - 2020/4/22
N2 - Many Android developers fail to properly implement SSL/TLS during the development of an app, which may result in Man-In-The-Middle (MITM) attacks or phishing attacks. In this work, we design and implement a tool called DCDroid to detect these vulnerabilities with the combination of static and dynamic analysis. In static analysis, we focus on four types of vulnerable schema and locate the potential vulnerable code snippets in apps. In dynamic analysis, we prioritize the triggering of User Interface (UI) components based on the results obtained with static analysis to confirm the misuse of SSL/TLS. With DCDroid we analyze 2213 apps from Google Play and 360app. The experimental results show that 457 (20.65%) apps contain potential vulnerable code. We run apps with DCDroid on two Android smart phones and confirm that 245 (11.07%) of 2213 apps are truly vulnerable to MITM and phishing attacks. We propose several strategies to reduce the number of crashes and shorten the execution time in dynamic analysis. Comparing with our previous work, DCDroid decreases 57.18% of the number of apps’ crash and 32.47% of the execution time on average. It also outperforms other three tools, namely, AndroBugs, kingkong and appscan, in terms of detection accuracy.
AB - Many Android developers fail to properly implement SSL/TLS during the development of an app, which may result in Man-In-The-Middle (MITM) attacks or phishing attacks. In this work, we design and implement a tool called DCDroid to detect these vulnerabilities with the combination of static and dynamic analysis. In static analysis, we focus on four types of vulnerable schema and locate the potential vulnerable code snippets in apps. In dynamic analysis, we prioritize the triggering of User Interface (UI) components based on the results obtained with static analysis to confirm the misuse of SSL/TLS. With DCDroid we analyze 2213 apps from Google Play and 360app. The experimental results show that 457 (20.65%) apps contain potential vulnerable code. We run apps with DCDroid on two Android smart phones and confirm that 245 (11.07%) of 2213 apps are truly vulnerable to MITM and phishing attacks. We propose several strategies to reduce the number of crashes and shorten the execution time in dynamic analysis. Comparing with our previous work, DCDroid decreases 57.18% of the number of apps’ crash and 32.47% of the execution time on average. It also outperforms other three tools, namely, AndroBugs, kingkong and appscan, in terms of detection accuracy.
UR - http://hdl.handle.net/10754/662718
UR - https://linkinghub.elsevier.com/retrieve/pii/S016412122030087X
UR - http://www.scopus.com/inward/record.url?scp=85083770002&partnerID=8YFLogxK
U2 - 10.1016/j.jss.2020.110609
DO - 10.1016/j.jss.2020.110609
M3 - Article
SN - 0164-1212
VL - 167
SP - 110609
JO - Journal of Systems and Software
JF - Journal of Systems and Software
ER -