Abstract
Developing secure mobile applications is not an easy task; especially when dealing with SSL/TLS since very few developers possess experience with those protocols. This paper presents AndroSSL, an automated platform to assess the security of (SSL/TLS) connections established by Android applications. AndroSSL assists mobile application developers by testing their applications for man-in-the-middle attacks, and, successful, pinpoints the reason why the application is vulnerable.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The terms SSL and TLS are used interchangeably throughout this paper.
- 2.
- 3.
Meaning a certificate that should be considered invalid from the application’s point of view.
- 4.
With the possibility to use snapshots.
- 5.
Since Android 4.3, root privileges are required to access logcat.
- 6.
- 7.
- 8.
Although this is problematic and should be addressed, we could consider this flaw as more difficult to exploit.
References
Brubaker, C., Jana, S., Ray, B., Khurshid, S., Shmatikov, V.: Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP) (2014)
Brubaker, C., Klyubin, A., Condra, G.: nogotofail (2014). https://github.com/google/nogotofail
Dierks, T., Rescorla, E.: Rfc5246 tls v1.2 (2008). https://tools.ietf.org/html/rfc5246
Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgartner, L., Freisleben, B.: Why eve and mallory love android: an analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CSS 2012), pp. 50–61 (2012)
Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM Conference on Computer and Communications Security (CSS 2013), pp. 49–60 (2013)
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificate in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CSS 2012), pp. 38–49 (2012)
Onwuzurike, L., Cristofaro, E.D.: Danger is my middle name: experimenting with SSL vulnerabilities in android apps. In: Proceedings of the 2015 ACM WiSec (2015)
Sillars, D.: Using nogotofail to find issues with your https connections (2015). http://developerboards.att.lithium.com/t5/AT-T-Developer-Program-Blogs/Using-nogotofail-to-Find-Issues-with-Your-HTTPS-Connections/ba-p/39891
Sounthiraraj, D., Sahs, J., Lin, Z., Khan, L., Greenwood, G.: SMV-Hunter: large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In: Proceedings of the 2014 Network and Distributed System Security Symposium (NDSS 2014) (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Gagnon, F., Ferland, MA., Fortier, MA., Desloges, S., Ouellet, J., Boileau, C. (2016). AndroSSL: A Platform to Test Android Applications Connection Security. In: Garcia-Alfaro, J., Kranakis, E., Bonfante, G. (eds) Foundations and Practice of Security. FPS 2015. Lecture Notes in Computer Science(), vol 9482. Springer, Cham. https://doi.org/10.1007/978-3-319-30303-1_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-30303-1_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30302-4
Online ISBN: 978-3-319-30303-1
eBook Packages: Computer ScienceComputer Science (R0)