Many Android apps have a legitimate need to communicate over the Internet and are then responsible for protecting potentially sensitive data during transit. This paper seeks to better understand the potential security threats posed by benign Android apps that use the SSL/TLS protocols to protect data they transmit. Since the lack of visual security indicators for SSL/TLS usage and the inadequate use of SSL/TLS can be exploited to launch Man-in-the-Middle (MITM) attacks, an analysis of 13,500 popular free apps downloaded from Google's Play Market is presented. </p> <p>We introduce MalloDroid, a tool to detect potential vulnerability against MITM attacks. Our analysis revealed that 1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data. Furthermore, an online survey was conducted to evaluate users' perceptions of certificate warnings and HTTPS visual security indicators in Android's browser, showing that half of the 754 participating users were not able to correctly judge whether their browser session was protected by SSL/TLS or not. We conclude by considering the implications of these findings and discuss several countermeasures with which these problems could be alleviated.
%0 Conference Paper
%1 Fahl:2012:WEM:2382196.2382205
%A Fahl, Sascha
%A Harbach, Marian
%A Muders, Thomas
%A Baumgärtner, Lars
%A Freisleben, Bernd
%A Smith, Matthew
%B Proceedings of the 2012 ACM conference on Computer and communications security
%C New York, NY, USA
%D 2012
%I ACM
%K 2012 analysis android apps developer myown ssl usability vulnerability
%P 50--61
%R 10.1145/2382196.2382205
%T Why eve and mallory love android: an analysis of android SSL (in)security
%U http://doi.acm.org/10.1145/2382196.2382205
%X Many Android apps have a legitimate need to communicate over the Internet and are then responsible for protecting potentially sensitive data during transit. This paper seeks to better understand the potential security threats posed by benign Android apps that use the SSL/TLS protocols to protect data they transmit. Since the lack of visual security indicators for SSL/TLS usage and the inadequate use of SSL/TLS can be exploited to launch Man-in-the-Middle (MITM) attacks, an analysis of 13,500 popular free apps downloaded from Google's Play Market is presented. </p> <p>We introduce MalloDroid, a tool to detect potential vulnerability against MITM attacks. Our analysis revealed that 1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data. Furthermore, an online survey was conducted to evaluate users' perceptions of certificate warnings and HTTPS visual security indicators in Android's browser, showing that half of the 754 participating users were not able to correctly judge whether their browser session was protected by SSL/TLS or not. We conclude by considering the implications of these findings and discuss several countermeasures with which these problems could be alleviated.
%@ 978-1-4503-1651-4
@inproceedings{Fahl:2012:WEM:2382196.2382205,
abstract = {Many Android apps have a legitimate need to communicate over the Internet and are then responsible for protecting potentially sensitive data during transit. This paper seeks to better understand the potential security threats posed by benign Android apps that use the SSL/TLS protocols to protect data they transmit. Since the lack of visual security indicators for SSL/TLS usage and the inadequate use of SSL/TLS can be exploited to launch Man-in-the-Middle (MITM) attacks, an analysis of 13,500 popular free apps downloaded from Google's Play Market is presented. </p> <p>We introduce MalloDroid, a tool to detect potential vulnerability against MITM attacks. Our analysis revealed that 1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data. Furthermore, an online survey was conducted to evaluate users' perceptions of certificate warnings and HTTPS visual security indicators in Android's browser, showing that half of the 754 participating users were not able to correctly judge whether their browser session was protected by SSL/TLS or not. We conclude by considering the implications of these findings and discuss several countermeasures with which these problems could be alleviated.},
acmid = {2382205},
added-at = {2012-11-14T19:21:28.000+0100},
address = {New York, NY, USA},
author = {Fahl, Sascha and Harbach, Marian and Muders, Thomas and Baumg\"{a}rtner, Lars and Freisleben, Bernd and Smith, Matthew},
biburl = {https://www.bibsonomy.org/bibtex/2ef8147cde9a5597e4c1eba8c2a0b1a74/harbach},
booktitle = {Proceedings of the 2012 ACM conference on Computer and communications security},
description = {Why eve and mallory love android},
doi = {10.1145/2382196.2382205},
interhash = {2d0cfe333d25d63c9bd10d600ed5e5d8},
intrahash = {ef8147cde9a5597e4c1eba8c2a0b1a74},
isbn = {978-1-4503-1651-4},
keywords = {2012 analysis android apps developer myown ssl usability vulnerability},
location = {Raleigh, North Carolina, USA},
numpages = {12},
pages = {50--61},
publisher = {ACM},
series = {CCS '12},
timestamp = {2012-11-14T19:21:28.000+0100},
title = {Why eve and mallory love android: an analysis of android SSL (in)security},
url = {http://doi.acm.org/10.1145/2382196.2382205},
year = 2012
}