[cryptography] OT: Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security

Jeffrey Walton noloader at gmail.com
Sat Oct 20 21:41:42 EDT 2012

Hot off the presses (but its not limited to Android): "Why Eve and
Mallory Love Android: An Analysis of Android SSL (In)Security",
http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf. Or
should it be "The Case for Public Key Pinning"?

"...The most common approach to protect data during communication on
the Android platform is to use the Secure Sockets Layer (SSL) or
Transport Layer Security (TLS) protocols. To evaluate the state of SSL
use in Android apps, we downloaded 13,500 popular free apps from
Google’s Play Market and studied their properties with respect to the
usage of SSL. In particular, we analyzed the apps’ vulnerabilities
against Man-in-the-Middle (MITM) attacks due to the inadequate or
incorrect use of SSL.

For this purpose, we created MalloDroid, an Androguard extension that
performs static code analysis to a) analyze the networking API calls
and extract valid HTTP(S) URLs from the decompiled apps; b) check the
validity of the SSL certificates of all extracted HTTPS hosts; and c)
identify apps that contain API calls that differ from Android’s
default SSL usage, e.g., contain non-default trust managers, SSL
socket factories or hostname verifiers with permissive verification
strategies. Based on the results of the static code analysis, we
selected 100 apps for manual audit to investigate various forms of SSL
use and misuse: accepting all SSL certificates, allowing all hostnames
regardless of the certificate’s Common Name (CN), neglecting
precautions against SSL stripping, trusting all available Certificate
Authorities (CAs), not using SSL pinning, and misinforming users about
SSL usage."

More information about the cryptography mailing list