Skip to main content
SpringerLink
Log in

MITHYS: Mind The Hand You Shake - Protecting Mobile Devices from SSL Usage Vulnerabilities

  • Conference paper
Security and Trust Management (STM 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8203))

Included in the following conference series:

Abstract

Recent studies have shown that a significant number of mobile applications, often handling sensitive data such as bank accounts and login credentials, suffers from SSL vulnerabilities. Most of the time, these vulnerabilities are due to improper use of the SSL protocol (in particular, in its handshake phase), resulting in applications exposed to man-in-the-middle attacks. In this paper, we present MITHYS, a system able to: (i) detect applications vulnerable to man-in-the-middle attacks, and (ii) protect them against these attacks. We demonstrate the feasibility of our proposal by means of a prototype implementation in Android, named MITHYSApp. A thorough set of experiments assesses the validity of our solution in detecting and protecting mobile applications from man-in-the-middle attacks, without introducing significant overheads. Finally, MITHYSApp does not require any special permissions nor OS modifications, as it operates at the application level. These features make MITHYSApp immediately deployable on a large user base.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Freier, P.K.A., Karlton, P.: The Secure Sockets Layer (SSL) Protocol Version 3.0 (2001), http://tools.ietf.org/html/rfc6101

  2. Amazon.com, Inc. Amazon Elastic Compute Cloud (Amazon EC2), http://aws.amazon.com/ec2/

  3. Becher, M., Freiling, F., Hoffmann, J., Holz, T., Uellenbeck, S., Wolf, C.: Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 96–111 (2011)

    Google Scholar 

  4. Benton, K., Jo, J., Kim, Y.: Signaturecheck: a protocol to detect man-in-the-middle attack in ssl. In: Proceedings of CSIIRW 2011. ACM (2011)

    Google Scholar 

  5. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R.: Xmandroid: A new android evolution to mitigate privilege escalation attacks. Technische Universität Darmstadt, Technical Report TR-2011-04 (2011)

    Google Scholar 

  6. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: Proceedings of NDSS 2012 (2012)

    Google Scholar 

  7. Charland, A., Leroux, B.: Mobile application development: web vs. native. Commun. ACM 54(5), 49–53 (2011)

    Article  Google Scholar 

  8. Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: Context-related policy enforcement for android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  9. Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  10. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android ssl (in)security. In: Proceedings of CCS 2012, pp. 50–61. ACM, New York (2012)

    Google Scholar 

  11. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating ssl certificates in non-browser software. In: Proceedings of CCS 2012, pp. 38–49. ACM, New York (2012)

    Google Scholar 

  12. Google Inc. logcat, http://developer.android.com/tools/help/logcat.html

  13. Google Inc. monkeyrunner, http://developer.android.com/tools/help/monkeyrunner_concepts.html

  14. Path Inc. Path - We are sorry, http://blog.path.com/post/17274932484/we-are-sorry

  15. Russello, G., Conti, M., Crispo, B., Fernandes, E.: Moses: supporting operation modes on smartphones. In: Proceedings of SACMAT 2012, pp. 3–12. ACM (2012)

    Google Scholar 

  16. Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google android: A comprehensive security assessment. IEEE Security Privacy 8(2), 35–44 (2010)

    Article  Google Scholar 

  17. Shetty, S., Song, M., Ma, L.: Rogue access point detection by analyzing network traffic characteristics. In: MILCOM 2007, pp. 1–7. IEEE (2007)

    Google Scholar 

  18. Dierks, C.A.T.: The TLS Protocol Version 1.0 (1999), http://www.ietf.org/rfc/rfc2246.txt

  19. Thampi, A.: Path uploads your entire iPhone address book to its servers, http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.html

Download references

Author information

Authors and Affiliations

  1. University of Padua, Italy

    Mauro Conti & Sebastiano Gottardo

  2. Technical University of Denmark, Denmark

    Nicola Dragoni & Sebastiano Gottardo

Authors
  1. Mauro Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicola Dragoni
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sebastiano Gottardo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Telematics, University of Freiburg, Friedrichstraße 50, 79098, Freiburg, Germany

    Rafael Accorsi

  2. Centre for Information Technology, Fondazione Bruno Kessler ( FBK), via Sommarive 18, 38123, Trento, Italy

    Silvio Ranise

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Conti, M., Dragoni, N., Gottardo, S. (2013). MITHYS: Mind The Hand You Shake - Protecting Mobile Devices from SSL Usage Vulnerabilities. In: Accorsi, R., Ranise, S. (eds) Security and Trust Management. STM 2013. Lecture Notes in Computer Science, vol 8203. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41098-7_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41098-7_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41097-0

  • Online ISBN: 978-3-642-41098-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation