Detection of SSL/TLS Implementation Errors in Android Applications


Creative Commons License

Cibalık K. E., KOÇAK C.

Gazi Üniversitesi Fen Bilimleri Dergisi Part C: Tasarım ve Teknoloji, cilt.8, sa.2, ss.211-219, 2021 (Hakemli Dergi)

Özet

Security Socket Layer (SSL) / Transport Layer Security (TLS) protocols are utilized to secure network communication (e.g., transmitting user data). Failing to properly implement SSL/TLS configuration during the app development results in security risks. The weak implementations include trusting all host names, trusting all certificates, ignoring certificate verification errors, even lack of SSL public key pinning usage. These unsecured implementations may cause Man-In-The-Middle (MITM) attacks. The major aim of this research is to detect configuration errors of SSL/TLS implementation in Android apps. We combine existing open-source tools and streamline the analysis process with the combination of automated static analysis and dynamic analysis with manual assistance. We scan for four types of vulnerabilities in the static analysis phase and verify misuse of SSL/TLS in the dynamic analysis phase. The dynamic analysis is essential for eliminating false positives generated at the static analysis stage. We analyze 109 apps from Google Play Store and the experimental results show that 45 (41.28%) apps contain potential security errors in the application of SSL/TLS. We verify that 19 (17.43%) out of 109 apps are vulnerable to MITM attacks.