Abstract
A large set of diverse hybrid mobile apps, which use both native Android app UIs and Web UIs, are widely available in today’s smartphones. These hybrid apps usually use SSL or TLS to secure HTTP based communication. However, researchers show that incorrect implementation of SSL or TLS may lead to serious security problems, such as Man-In-The-Middle (MITM) attacks and phishing attacks. This paper investigates a particular SSL vulnerability that results from error-handling code in the hybrid mobile Web apps. Usually such error-handling code is used to terminate an ongoing communication, but the vulnerability of interest is able to make the communication proceed regardless of SSL certificate verification failures, eventually lead to MITM attacks. To identify those vulnerable apps, we develop a hybrid approach, which combines both static analysis and dynamic analysis to (1) automatically distinguish the native Android UIs and Web UIs, and execute the Web UIs to trigger the error-handling code; (2) accurately select the correct paths from the app entry-point to the targeted code, meanwhile avoiding the crash of apps, and populate messaging objects for the communication between components. Specifically, we construct inter-component call graphs to model the connections, and design algorithms to select the paths from the established graph and determine the parameters by backtracing. To evaluate our approach, we have implemented and tested it with 13,820 real world mobile Web apps from Google Play. The experimental results demonstrate that 1,360 apps are detected as potentially vulnerable ones solely using the static analysis. The dynamic analysis process further confirms that 711 apps are truly vulnerable among the potentially vulnerable set.
Similar content being viewed by others
Notes
An Activity is an application component that provides a screen with which users can interact in order to perform a task, such as dial the phone, take a photo, send an email, or view a map (http://developer.android.com/guide/components/activities.html).
References
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: ACM SIGPLAN Notices, vol. 49, pp. 259–269. ACM (2014)
Bhoraskar, R., Han, S., Jeon, J., Azim, T., Chen, S., Jung, J., Nath, S., Wang, R., Wetherall, D., Langenegger, D., et al.: Brahmastra: driving apps to test the security of third-party components
Brubaker, C., Jana, S., Ray, B., Khurshid, S., Shmatikov, V.: Using frankencerts for automated adversarial testing of certificate validation in ssl/tls implementations
Clark, J., van Oorschot, P.C.: Sok: Ssl and https: revisiting past challenges and evaluating certificate trust model enhancements. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 511–525. IEEE (2013)
Desnos, A.: Androguard: Reverse engineering, malware and goodware analysis of android applications... and more (ninja!)
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM 57(3), 99–106 (2014)
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android ssl (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)
Felt, A.P., Wagner, D: Phishing on mobile devices, na (2011)
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating ssl certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49. ACM. http://dl.acm.org/citation.cfm?id=2382204 (2012)
Green, I.: Dns spoofing by the man in the middle
Housley, R., Ford, W., Polk, W., Solo, D.: Rfc 5280: Internet x. 509 public key infrastructure certificate and crl profile (2008)
MacHiry, A., Tahiliani, R., Naik, M.: Dynodroid: an input generation system for android apps. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 224–234. ACM (2013)
Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 209–220. ACM (2013)
Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., Khan, L.: Smv-Hunter: large scale, automated detection of ssl/tls man-in-the-middle vulnerabilities in android apps. In: Proceedings of the 19th Network and Distributed System Security Symposium. San Diego
Yan, L.-K., Yin, H.: Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)
Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 93–104. ACM (2012)
Zuo, C., Wu, J., Guo, S.: Automatically detecting ssl error-handling vulnerabilities in hybrid mobile web apps. In: Proceedings of ASIA CCS ’15 the 10th ACM Symposium on Information, Computer and Communications Security, pp. 591–596. ACM (2015)
Acknowledgments
We would like to thank the anonymous reviewers for their comments on previous drafts of this paper. This work is partially supported by National Natural Science Foundation of China (91546203,61173068,61572295,61573212), Program for New Century Excellent Talents in University of the Ministry of Education, the Key Science Technology Project of Shandong Province (2014GGD01063,2015GGE27033), the Independent Innovation Foundation of Shandong Province (2014CGZH1106) and the Shandong Provincial Natural Science Foundation (ZR2014FM020).
Author information
Authors and Affiliations
Corresponding author
Additional information
This article belongs to the Topical Collection: Special Issue on Security and Privacy of IoT
Guest Editors: Tarik Taleb, Zonghua Zhang, and Hua Wang
Rights and permissions
About this article
Cite this article
Liu, Y., Zuo, C., Zhang, Z. et al. An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps. World Wide Web 21, 127–150 (2018). https://doi.org/10.1007/s11280-017-0458-9
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11280-017-0458-9