Why Eve and Mallory Love Android An Analysis of Android SSL (In)Security



Similar documents
Why Eve and Mallory Love Android An Analysis of Android SSL (In)Security

Sascha Fahl, Marian Harbach, Matthew Smith. Usable Security and Privacy Lab Leibniz Universität Hannover

The Need for a Usable TLS PKI

SSL implementieren aber sicher!

Is Your SSL Website and Mobile App Really Secure?

AndroSSL: A Platform to Test Android Applications Connection Security

Cloud Computing for Education Workshop


Best Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.

SSL EXPLAINED SSL EXPLAINED

An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities

LBSEC.

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Lynn Margaret Batten. IT Security Research Services & Deakin University, Melbourne, Australia. June 2015

SSL/TLS: The Ugly Truth

How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper

SSL Considerations for CAS: Planning, Management, and Troubleshooting. Marvin Addison Middleware Services Virginia Tech October 13, 2010

SSL, PKI and Secure Communication

PROTECTING DATA IN TRANSIT WITH ENCRYPTION IN M-FILES

Filter Avoidance and Anonymous Proxy Guard

Setup Corporate (Microsoft Exchange) . This tutorial will walk you through the steps of setting up your corporate account.

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

A Study of SSL Proxy Attacks on Android and ios Mobile Applications

A tutorial on how you can host mul$ple SSL Cer$ficates on a single IP address without losing any backward compa6bility

Mobile Application Security

Network Configuration Settings

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

CHAPTER 7 SSL CONFIGURATION AND TESTING

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

DEPLOYMENT OF I M INTOUCH (IIT) IN TYPICAL NETWORK ENVIRONMENTS. Single Computer running I m InTouch with a DSL or Cable Modem Internet Connection

What s Your HTTPS Grade? A Case Study of HTTPS/SSL at Mid Michigan Community College. Brandon bkish@midmich.edu

Web Security: Encryption & Authentication

MultiSite Manager. Using HTTPS and SSL Certificates

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

IUCLID 5 Guidance and Support

z/tpf FTP Client Support

Sophos Mobile Control Installation prerequisites form

Managing IPv4 scarcity when using SSL Cer7ficates Mul7ple SSL Cer7ficates on a single IP address

Enabling SSL and Client Certificates on the SAP J2EE Engine

Storgrid EFS Access all of your business information securely from any device

Deltek Touch Time & Expense for Vision 1.3. Release Notes

Secure Transfers. Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3

Setting Up SSL on IIS6 for MEGA Advisor

ISY994 Series Network Security Configuration Guide Requires firmware version Requires Java 1.7+

Setting Up groov Mobile Apps. Introduction. Setting Up groov Mobile Apps. Using the ios Mobile App

Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling

The increasing popularity of mobile devices is rapidly changing how and where we

END-TO-END SSL SETUP SAP WEB DISPATCHER Helps you to setup the End-To-End SSL Scenario for SAP Web Dispatcher

To Pin or Not to Pin Helping App Developers Bullet Proof Their TLS Connections

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

WebStore Guide. The Uniform Solution

Introduction to the Mobile Access Gateway

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options

If you already have Uninstalled SonicWALL Global VPN client, or never had it installed you can skip this step.

Spreed Keeps Online Meetings Secure. Online meeting controls and security mechanism.

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Cloud Services. Introduction...2 Overview...2. Security considerations Installation...3 Server Configuration...4

Configuration Guide BES12. Version 12.1

Chapter 17. Transport-Level Security

Cleaning Encrypted Traffic

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

IT Exam Training online / Bootcamp

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

beginners guide Beginners Guide Certificates the best decision when considering your online security options.

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Integrated SSL Scanning

PowerChute TM Network Shutdown Security Features & Deployment

Configuring an Client to Connect to CASS Mail Servers

Secure Socket Layer (SSL) Machines included: Contents 1: Basic Overview

AppConnect FAQ for MobileIron Technology Partners! AppConnect Overview

The Smartest Way to Get Meetings Done

Legal notices. Legal notices. For legal notices, see

Tel: Tel: +44 (0) Comodo Group.

CA Service Desk Manager - Mobile Enabler 2.0

A Guide to New Features in Propalms OneGate 4.0

Sametime 9 Meetings deployment Open Mic July 23rd 2014

Secure Frequently Asked Questions

HRC Advanced Citrix Troubleshooting Guide. Remove all Citrix Instances from the Registry

Lesson 10: Attacks to the SSL Protocol

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Frequently Asked Questions PIVOT by Spectralink

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuring Secure Socket Layer (SSL)

More on SHA-1 deprecation:

IPv4 Shortage Multiple SSL Certificates on a single IP address

Transcription:

Why Eve and Mallory Love Android An Analysis of Android SSL (In)Security Sascha Fahl Marian Harbach Thomas Muders Lars Baumgärtner Bernd Freisleben Ma:hew Smith

Some Android Facts 330 million devices (as of Q1 2012) 930,000 acgvagons per day (as of Q1 2012) 450,000 apps (as of June 2012) Market Share (Q2 2012) 64% Android ios RIM Symbian Windows Phone Seite 2

Appifica2on There s an App for Everything Seite 3

What do Most Apps Have in Common? They share data over the Internet Most of them secure transfer of sensigve data using SSL (Secure Sockets Layer protocol) (Transport Layer Security (TLS) protocol) Seite 4

SSL Usage on Android The default Android API implements correct cergficate validagon. What could possibly go wrong? Seite 5

SSL Usage on Android A server needs a cergficate that was signed by a trusted CerGficate Authority ~130 pre- installed CAs For non- trusted cergficates a custom workaround is needed Seite 6

What about using a non- trusted cer2ficate? Q: Does anyone know how to accept a self signed cert in Java on the Android? A code sample would be perfect. A: Use the EasyX509TrustManager library hosted on code.google.com. Q: I am getting an error of javax.net.ssl.sslexception: Not trusted server certificate. I want to simply allow any certificate to work, regardless whether it is or is not in the Android key chain. I have spent 40 hours researching and trying to figure out a workaround for this issue. A: Look at this tutorial [...] stackoverflow.com Seite 7

Our Analysis downloaded 13,500 popular and free Apps from Google s Play Market built MalloDroid which is an androguard extension to analyze possible SSL problems in Android Apps broken TrustManager implementagons accept all Hostnames Eve/Mallory Webserver Seite 8

Sta2c Code Analysis Results 92,8 % Apps use INTERNET permission 91,7 % of networking API calls HTTP(S) related 0,8 % exclusively HTTPS URLs 46,2 % mix HTTP and HTTPS 17,28 % of all Apps that use HTTPS include code that fails during SSL cergficate validagon 1074 include crigcal code 790 accept all cergficates 284 accept all hostnames Seite 9

TrustManager Implementa2ons 22 different TrustManager implementagons NonValidatingTrustManager FakeTrustManager EasyX509TrustManager NaiveTrustManager TrustManager DummyTrustManager SimpleTrustManager AcceptAllTrustManager OpenTrustManager and all turn effecgve cergficate validagon off Seite 10

Manual App Tes2ng Results cherry- picked 100 Apps 21 Apps trust all cergficates 20 Apps accept all hostnames What we found: Seite 11

Manual App Tes2ng Results 39 185 million affected installs! What we found: Seite 12

One Example Zoner AV AnG- Virus App for Android Awarded best free AnG- Virus App for Android by av- test.org Seite 13

Zoner AV Virus signature updates via HTTPS GET No check for the virus update s authengcity! The good thing: It uses SSL Unfortunately: The wrong way static&final!hostnameverifier!do_not_verify!=!new!hostnameverifier()!!!! {!!!!!!! public&boolean!verify(string!paramstring,!sslsession!paramsslsession)!!! {!!!!!!!!!!!!!return&true;!!!!!!! }!! };! Seite 14

Zoner AV We did the following Seite 15

More Examples Remote Control App Remote Code InjecGon Unlocking Rental Cars Seite 16

How Do (Good) Apps React to MITMAs? Technically Usability Flickr Facebook Seite 17

Browser Warning Messages All do SSL cergficate validagon correctly All do SSL cergficate validagon correctly and warn the user if something goes and wrong. warn the user if something goes wrong. Seite 18

SSL Warning Messages Android Stock Browser All do SSL cergficate validagon correctly and warn the user if something goes wrong. Seite 19

Online Survey To find out if the Browser s warning messages help the users presented an SSL warning message To see if users know when they are surfing on an SSL protected website half of the pargcipants HTTP half of the pargcipants HTTPS and warn the user if something goes wrong. Seite 20

Online Survey - Results 745 pargcipants 47.5% of non- IT experts believed they were using a secure Internet connecgon... although it was plain HTTP.... 34.7 % of IT experts thought so too. ~50% had not seen an SSL warning message on their phone before. The risk users were warned against was rated with 2.86 (sd=.94) on a scale between 1 (low risk) and 5 (high risk) Overall, a considerable amount of pargcipants struggled to judge connecgon security accurately. Seite 21

Our Recommenda2ons Integrate SSL cergficate validagon tesgng into the development process Inform the user INTERNET_SSL and INTERNET_PLAIN permission global SSL warning message Seite 22

Seite 23

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information